b'  2010 Annual FISMA Executive\n  Summary Report\n\n\n\n\n                                          March 3, 2011\n                                         Report No. 489\nAssessment and Review Conducted by C5i\n\x0c                                                            UNITED STATES\n                                           SECURITIES AND EXCHANGE COMMISSION\n                                                       WASHINGTON. D.C.     2.0540\n\n\n        O .... \'cO: 0"\n\' ..... O:CTO. GO: .. O: ......\n\n\n\n\n                                                  MEMORANDUM\n                                                            March 3, 2011\n\n\n                   To:                  Thomas Bayer, Chief Information Officer, OffICe of Information\n                                        Technology (OIT)\n\n                  From:                 H. David Kotz. Inspector General. OffICe of Inspector Genera WbJ.r\n\n                   SUbject:             2010 Annual FISMA Executive Report, Report No. 489\n\n                  This memorandum transmits the U.S. Securities and Exchange Commission\'s\n                  OffICe of Inspector General\'s (OIG) final report on the 2010 Federal Information\n                  Security Management Act of 2002 (FISMA) review. The final report contains\n                  eight recommendations which if implemented, should strengthen the\n                  Commission\'s security posture. OIT concurred with all eight recommendations.\n                  Your written response to the draft report is included in Appendix VI.\n\n                  Within the next 45 days, please provide the OIG with a written corrective action\n                  plan that is designed to address the agreed upon recommendations. The\n                  corrective action plan should include informaUon such as the responsible\n                  offlCiaVpoint of contact. timeframes for completing the required actions. and\n                  milestones identifying how you will address the recommendations cited in this\n                  report.\n\n                  Should you have any questions regarding this report, please do not hesitate to\n                  contact me. We appreciate the courtesy and cooperation that you and your staff\n                  extended to our staff and contractors during this review.\n\n                  Attachment\n\n                  ce:             Kayla J. Gillan. Deputy Chief of Staff, Office of the Chairman\n                                  Luis A. Aguilar, Commissioner\n                                  Troy A. Paredes, Commissioner\n                                  Elisse Walter, Commissioner\n                                  Jeff Heslop, Chief Operating Officer, Office of Chtef of Operations\n                                  Diego T. Ruiz, Executive Director, Office of the Executive Director\n                                  Lewis W. Walker, Deputy Director and Cht9f Technology Officer, Office of\n                                      Information Technology\n\n\n\n\n         2010 Annual FISMA Executive Report                                                         March 3, 2011\n         Report No. 489\n                                                                Page ii\n\x0c      2010 FISMA Executive Summary Report\n\n                                Executive Summary\nIn August 2010, the U.S. Securities and Exchange Commission (SEC or\nCommission), Office of Inspector General (OIG), contracted C5i Federal, Inc.\n(C5i) to assist with the completion and coordination of the OIG\xe2\x80\x99s input to the\nCommission\xe2\x80\x99s response to the Office of Management and Budget (OMB),\nMemorandum M-10-15 FY 2010 Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management. 1 This\nmemorandum provides the instructions and templates for meeting the fiscal year\n(FY) 2010 reporting requirements under the Federal Information Security\nManagement Act of 2002 (FISMA) (Title III, Pub. L. No. 107-347). 2\n\nC5i commenced work on this project in September 2010. C5i\xe2\x80\x99s tasks included\ncompleting the OIG portion of the FISMA template (Section C) and developing an\nExecutive Summary Report that communicates the Inspector General\xe2\x80\x99s response\nto the 2010 FISMA submission. C5i\xe2\x80\x99s responses were based on information that\nwas provided in agency staff interviews and a review of supporting\ndocumentation. C5i did not conduct detailed control tests to verify the accuracy\nof the data the SEC provided. Based on C5i\xe2\x80\x99s assessment and\nrecommendations, the OIG submitted its responses to the 2010 FISMA\nquestionnaire using OMB\xe2\x80\x99s on-line reporting tool, CyberScope.\n\nBackground. FISMA, 44 U.S.C. \xc2\xa7 3541, et seq., is a United States federal law\nenacted in 2002 as the Title III of the E-Government Act of 2002. The statute\nrecognizes the importance of information security to the economic and national\nsecurity interests of the United States. Further, the statute requires federal\nagencies to develop, document, and implement an agency-wide program that\nprovides security for the information and information systems that support the\noperations and assets of the agency, including those provided or managed by\nother agencies, contractors, or other sources.\n\nFISMA requires agency program officials, Chief Information Officers, Privacy\nOfficers, and OIGs to conduct annual reviews of the agency\xe2\x80\x99s information\nsecurity and privacy programs, and report the results to OMB. The OMB then\nuses this data to assist in its oversight responsibilities and to prepare its annual\nreport to Congress on agency compliance with the statute.\n\n1\n  Office of Management and Budget\xe2\x80\x99s Memorandum M-10-15, FY 2010 Reporting Instructions for the\nFederal Information Security Management Act and Agency Privacy Management, http://www.\nwhitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m10-15.pdf.\n2\n  Federal Information Security Management Act of 2002 (Title III, Pub. L. No. 107-347), http://csrc.\nnist.gov/drivers/documents/FISMA-final.pdf.\n2010 Annual FISMA Executive Report                                                         March 3, 2011\nReport No. 489\n                                                 Page iii\n\x0cFISMA provides the framework for securing the Federal Government\xe2\x80\x99s\ninformation technology. All agencies must implement the requirements of FISMA\nand report annually to OMB and Congress on the effectiveness of their\ninformation security and privacy programs. OMB uses this information to:\n\n   (1) Help evaluate agency-specific and government-wide information security\n       and privacy program performance;\n   (2) Develop its annual security report to Congress;\n   (3) Assist in improving and maintaining adequate agency performance; and\n   (4) Assist in the development of the E-Government Scorecard under the\n       President\xe2\x80\x99s Management Agenda.\n\nAs part of its FISMA review, C5i also conducted reviews to examine the SEC\xe2\x80\x99s\ncontinuous monitoring program and covering the SEC\xe2\x80\x99s oversight of contractor\nheld personally identifiable information. The results of these audits will be issued\nlater, in separate OIG reports.\n\nObjectives. The overall objective for the FISMA assessment was to\nindependently evaluate and report on how the Commission has implemented its\nmandated information security requirements. Secondarily, the objective was to\nprovide clarity regarding the OIG\xe2\x80\x99s input and responses to the OMB\nquestionnaire.\n\nResults. The key findings and results for the 2010 FISMA assessment are as\nfollows:\n   \xe2\x80\xa2   The Commission has developed a Certification and Accreditation (C&A)\n       program, and is in compliance with applicable regulatory and statutory\n       requirements. However, as noted in the SEC OIG\xe2\x80\x99s Assessment of the\n       SEC\xe2\x80\x99s Privacy Program, Report No. 485, September 29, 2010 (Report No.\n       485), the Office of Information Technology\xe2\x80\x99s (OIT) categorization of\n       network vulnerabilities may impact the C&A process. OIT concurred with\n       the recommendation and is currently re-evaluating its risk categorization\n       process.\n   \xe2\x80\xa2   The SEC has a Security Configuration Management program that has\n       policies and procedures, baselines, and an inventory of software and\n       hardware. However, as also noted in Report No. 485, OIT has not fully\n       implemented the Federal Desktop Core Configuration (FDCC), exceptions\n       have not been reported to the National Institute of Standards and\n       Technology (NIST), and justifications for identified \xe2\x80\x9cexceptions\xe2\x80\x9d have not\n       been fully documented.\n\n   \xe2\x80\xa2   OIT has an Incident Response & Reporting Program with documented\n       policies and procedures. The SEC Incident Response handbook details\n\n2010 Annual FISMA Executive Report                                     March 3, 2011\nReport No. 489\n                                      Page iv\n\x0c        the SEC employees and contractors roles and responsibilities in\n        reporting/responding to incidents. Incidents are documented from the\n        moment of reporting until resolution.\n\n    \xe2\x80\xa2   Annual Security Awareness Training was provided to all SEC employees\n        and contractors. In 2010, the SEC developed its own training and\n        incorporated its \xe2\x80\x9cSEC Rules of the Road\xe2\x80\x9d training into the sessions. As of\n        November 15, 2010, 4,732 of 4,778 (99.04 percent) SEC employees and\n        contractors successfully completed the Annual Cybersecurity Awareness\n        training.\n\n    \xe2\x80\xa2   OIT maintains a Plan of Actions & Milestones (POA&M) process. The\n        POA&M details the vulnerability, associated NIST controls,\n        remediation/mitigation strategy, risk level, and projected/planned\n        remediation date. The POA&M is reviewed and updated quarterly.\n        POA&M items are tracked using the Cyber Security Assessment and\n        Management (CSAM) tool.\n\n    \xe2\x80\xa2   The SEC has a \xe2\x80\x9cRemote Access\xe2\x80\x9d program that complies with federal\n        guidance and employs security measures. The remote access program\n        using a two factor authentication requirement comprised of an account\n        password and a RSA token that has a Personal Identification Number\n        (PIN). SEC employees and contractors can remotely access the SEC\xe2\x80\x99s\n        systems with an account password and RSA token and PIN. OIT\xe2\x80\x99s policies\n        and procedures are documented and comply with NIST, OMB, and FISMA\n        guidance. 3\n\n    \xe2\x80\xa2   The SEC has an account and identity management program with policies\n        and procedures for both establishing and deactivating physical and logical\n        (network) accounts. However, the HSPD-12 card program completion\n        date was delayed from September 30, 2010 to June 30, 2011, for both\n        physical access and logical access. Also, in several instances, \xe2\x80\x9cleast-\n        privilege,\xe2\x80\x9d e.g., access only required to perform the functions of a user\xe2\x80\x99s\n        position, was not effectively applied for network accounts having\n        \xe2\x80\x9cindefinite administrative\xe2\x80\x9d privileges, which provide the user with the ability\n        to install software and make changes to mandatory settings. In the event\n        this level of privilege is granted to a user, it should be only for a set\n        amount of time such as 60 - 90 minutes, that is needed to perform a\n        specific and approved function and then the privilege should be disabled.\n\n    \xe2\x80\xa2   The SEC has a continuous monitoring program that includes vulnerability\n        scanning, patch management policies and procedures, and ongoing\n        assessment of security controls. However, as noted in Report No. 485,\n3\n RSA tokens are two-factor authentication devices based on something you know such as a password or\nPIN and something you have such as an authenticator device.\n2010 Annual FISMA Executive Report                                                     March 3, 2011\nReport No. 489\n                                              Page v\n\x0c         there remains a problem with the timely implementation of new patches.\n         Further, OIT maintains insufficient documentation on what patches were\n         deployed and the date of deployment.\n\n   \xe2\x80\xa2     The SEC has a Contingency Planning program with documented policies\n         and procedures. Contingency plan testing is performed bi-annually in\n         April and November. Further, \xe2\x80\x9cLessons Learned\xe2\x80\x9d from the exercises are\n         developed and addressed.\n\n   \xe2\x80\xa2     The SEC has a contractor oversight program and has documented\n         policies and procedures utilizing adequate security controls in accordance\n         with the NIST and OMB guidance.\n\nSummary of Recommendations. We developed eight recommendations to\naddress vulnerabilities identified in the current assessment. Specifically, we\nrecommend that:\n\n   (1)    OIT should identify all exceptions to the Federal Desktop Core\n          Configuration standards and submit them to National Institute of\n          Standards and Technology within 90 days of the issuance date of this\n          report.\n\n   (2)    OIT should ensure justifications for deviations from Federal Desktop\n          Core Configurations requirements are fully documented.\n\n   (3)    OIT should:\n\n          3a. Perform a thorough review and identify the universe of all\n              Commission user accounts;\n          3b. Once the universe has been identified, OIT should then identify all\n              \xe2\x80\x9cactive\xe2\x80\x9d and \xe2\x80\x9cinactive\xe2\x80\x9d user accounts and determine whether or not\n              the account should be disabled; and\n          3c. Take immediate action to disable the accounts of employees and\n              contractors who no longer work at the Commission.\n\n   (4)    OIT should review their policies and procedures for disabling accounts to\n          ensure they are well-documented and thorough, and provide training to\n          appropriate staff regarding account termination procedures.\n\n   (5)    OIT should complete the logical access integration of the HSPD-12 card\n          program no later than December 2011, as it reported to OMB on\n          December 31, 2010.\n\n   (6)    OIT should conduct a full review and identify the universe of all users\n          with elevated privileges.\n2010 Annual FISMA Executive Report                                      March 3, 2011\nReport No. 489\n                                       Page vi\n\x0c   (7)   Based on the review results of recommendation 6, OIT should enforce or\n         develop procedures to ensure:\n\n          7a. Only users whose job function require permanent elevated access\n              have the needed privileges;\n          7b. Business justifications are fully documented; and\n          7c. Elevated privileges are only issued for the finite amount of time\n              needed to complete assigned task.\n\n   (8)   OIT should establish and maintain an accurate and current list of all\n         users that have elevated privileges.\n\n\n\n\n2010 Annual FISMA Executive Report                                     March 3, 2011\nReport No. 489\n                                     Page vii\n\x0cTABLE OF CONTENTS\nExecutive Summary ......................................................................................................iii\n\nTable of Contents ....................................................................................................... viii\n\nBackground and Objectives .......................................................................................... 1\n\nFindings and Recommendations ......................................................................... 3\n     Finding 1: Exceptions to Federal Desktop Core Configuration Deviations\n     are not Fully Documented .................................................................................. 3\n            Recommendation 1 ................................................................................. 4\n            Recommendation 2 ................................................................................. 5\n\n         Finding 2: Accounts Are Not Properly Terminated when Users No Longer\n         Require Access .................................................................................................. 5\n                Recommendation 3 ................................................................................. 7\n                Recommendation 4 ................................................................................. 7\n\n         Finding 3: SEC Has Not Adequately Implemented the Personal Identity\n         Verification for Logical Access to All Employees and Contractors ..................... 7\n                Recommendation 5 ................................................................................. 9\n\n         Finding 4: Privileges Granted are Excessive ..................................................... 9\n                Recommendation 6 ............................................................................... 10\n                Recommendation 7 ............................................................................... 10\n                Recommendation 8 ............................................................................... 11\n\nAppendices\n    Appendix I: Acronyms ..................................................................................... 12\n    Appendix II: Scope and Methodology .............................................................. 14\n    Appendix III: Criteria and Guidance ................................................................ 17\n    Appendix IV: List of Recommendations .......................................................... 20\n    Appendix V: OIG\xe2\x80\x99s Response to the OMB Questionnaire ............................... 22\n    Appendix VI: Management Comments ............................................................ 57\n    Appendix VII: OIG Response to Management\xe2\x80\x99s Comments ........................... 59\n    Appendix VIII: Screenshots ............................................................................. 60\n\nTables\n     Table 1:          OIG Response to Question 1 ............................................................ 25\n     Table 2:          OIG Response to Questions 2 and 3................................................. 31\n     Table 3:          OIG Response to Question 4 ............................................................ 36\n     Table 4:          OIG Response to Question 5 ............................................................ 37\n     Table 5:          OIG Response to Question 6 ............................................................ 39\n\n2010 Annual FISMA Executive Report                                                                  March 3, 2011\nReport No. 489\n                                                     Page viii\n\x0c       Table 6: OIG Response to Question 7 ............................................................ 42\n       Table 7: OIG Response to Question 8 ............................................................ 48\n       Table 8: OIG Response to Question 9 ............................................................ 51\n       Table 9: OIG Response to Question 10 .......................................................... 54\n       Table 10: OIG Response to Question 11 ........................................................ 56\n\nFigures\n     Figure 1:     SEC Administrative Notice, Issued 11/23/2010 ................................ 60\n     Figure 2:     CSAM Home Page ........................................................................... 61\n     Figure 3:     Inventory of GAO POA&Ms .............................................................. 62\n     Figure 4:     POA&M Entry Page ......................................................................... 63\n     Figure 5:     POA&M Page ................................................................................... 64\n     Figure 6:     Incident Escalation Flow Chart ......................................................... 65\n\n\n\n\n2010 Annual FISMA Executive Report                                                          March 3, 2011\nReport No. 489\n                                              Page ix\n\x0c                 Background and Objectives\nBackground\nOverview. In August 2010, the U.S. Securities and Exchange Commission\n(SEC or Commission), Office of Inspector General (OIG), contracted with C5i\nFederal, Inc. (C5i) to assist with the completion and coordination of the OIG\xe2\x80\x99s\ninput to the Commission\xe2\x80\x99s response to the Office of Management and Budget\n(OMB), Memorandum M-10-15 FY 2010 Reporting Instructions for the\nFederal Information Security Management Act and Agency Privacy\nManagement. 4 This memorandum provides the instructions and templates\nfor meeting the fiscal year (FY) 2010 reporting requirements under the\nFederal Information Security Management Act of 2002 (FISMA) (Title III, Pub.\nL. No. 107-347). 5\n\nFISMA provides the framework for securing the Federal Government\xe2\x80\x99s\ninformation technology. All agencies must implement the requirements of\nFISMA and report annually to OMB and Congress on the effectiveness of\ntheir information security and privacy programs. OMB uses the information to\nhelp evaluate agency-specific and government-wide information security and\nprivacy program performance, develop its annual security report to Congress,\nassist in improving and maintaining adequate agency performance, and assist\nin the development of the E-Government Scorecard under the President\xe2\x80\x99s\nManagement Agenda.\n\nC5i commenced work on this project in September 2010. C5i\xe2\x80\x99s tasks\nincluded completing the OIG portion of the FISMA template (Section C) and\ndeveloping an executive summary report that communicates the Inspector\nGeneral\xe2\x80\x99s (IG) response to the 2010 FISMA submission. C5i\xe2\x80\x99s responses are\nbased on information that was provided by agency staff and through\ninterviews and the review of supporting documentation. C5i did not conduct\ndetailed control tests to verify the accuracy of the data the SEC staff provided.\nBased on C5i\xe2\x80\x99s assessment and recommendations, the OIG submitted its\nresponses to the 2010 FISMA questionnaire via OMB\xe2\x80\x99s on-line reporting tool,\nCyberScope.\n\nFurther, as part of the FISMA assessment, C5i will further conduct audits\nexamining the SEC\xe2\x80\x99s continuous monitoring program reviewing the SEC\xe2\x80\x99s\noversight of contractor held personally identifiable information. These audits\nwill be issued later, in separate OIG reports.\n4\n  Office of Management and Budget\xe2\x80\x99s Memorandum M-10-15, FY 2010 Reporting Instructions for the\nFederal Information Security Management Act and Agency Privacy Management,\nhttp:/www.whitehouse.gov/ sites/default/files/omb/assets/memoranda_2010/m10-15.pdf\n5\n  Federal Information Security Management Act of 2002 (Title III, Pub. L. No. 107-347),\nhttp://csrc.nist.gov/drivers/documents/FISMA-final.pdf\n2010 Annual FISMA Executive Report                                                      March 3, 2011\nReport No. 489\n                                              Page 1\n\x0cObjectives\nThe overall objective for the FISMA assessment was to provide an\nindependent evaluation and report on how the Commission has implemented\nits mandated information security requirements. Secondarily, the objective\nwas to provide clarity regarding the OIG\xe2\x80\x99s input and responses to the OMB\nquestionnaire.\n\n\n\n\n2010 Annual FISMA Executive Report                                 March 3, 2011\nReport No. 489\n                                     Page 2\n\x0c            Findings and Recommendations\n\nFinding 1: Exceptions to Federal Desktop Core\nConfiguration Deviations Have Not Been Fully\nDocumented\n        OIT has not fully documented its \xe2\x80\x9cmanagement decisions\xe2\x80\x9d\n        for deviating from the Federal Desktop Core Configuration\n        (FDCC) requirements. In addition, the Office of Information\n        Technology (OIT) has not reported its deviations to the\n        National Institute of Standards and Technology (NIST).\n\nFDCC Security Requirements and Standards\n\nAs identified in the SEC OIG\xe2\x80\x99s Assessment of the SEC\xe2\x80\x99s Privacy Program,\nReport No. 485, September 29, 2010 (Report No. 485), the Commission\nmaintains a list of deviations from the FDCC security requirements/standards.\nHowever, OIT has not submitted its list of deviations from FDCC to NIST, as\nrequired by OMB Memorandum M-09-29, FY 2009 Reporting Instruction for\nthe Federal Information Security Management Act and Agency Privacy\nManagement (OMB Memorandum M-09-29). OIT provided C5i with a list of\nits deviations from FDCC standards. The list consists of a comment field\nentitled \xe2\x80\x9cmanagement decisions.\xe2\x80\x9d Based on interviews with OIT staff, C5i\nrequested clarification on the \xe2\x80\x9cmanagement decisions\xe2\x80\x9d contained in the\ncomment field. OIT staff acknowledged that OIT management made a\ndetermination in an OIT management meeting that it would deviate from\nFDCC standards. When asked for the meeting notes or information about\nwho attended the meeting, OIT staff stated that meeting minutes were not\ntaken and that staff could only recall from memory that the Assistant Director\nfor Infrastructure Engineering was in attendance at the meeting. Per OMB\nMemorandum M-09-29, 6 exceptions to FDCC security configuration\nrequirements are permitted for requirements that may impair the operations of\nagency-specific applications. However, such deviations from the FDCC\nsecurity configuration requirements must be documented and submitted to\nNIST, and OIT must be able to justify the deviations.\n\nAs of January 10, 2011, OIT had not provided NIST with its deviations from\nthe FDCC requirements. As a result, OIT has not met the OMB requirements\nset forth in OMB\xe2\x80\x99s Memorandum for Heads of Executive Departments and\n\n6\n OMB Memorandum M-09-29, FY 2009 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management.\n2010 Annual FISMA Executive Report                                                     March 3, 2011\nReport No. 489\n                                             Page 3\n\x0cAgencies, M-10-15, FY 2010 Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management,\nwhich states, \xe2\x80\x9cAgencies must document and provide NIST with any deviations\nfrom the common security configurations 7 and be prepared to justify why they\nare not using them. IGs should review such use.\xe2\x80\x9d 8 Further, OIT was unable\nto justify to the OIG why it is not using the common security configurations.\n\nIn addition, during our review of the deviations concerning the SEC\xe2\x80\x99s\npassword policy, we found some exceptions had only \xe2\x80\x9cmanagement decision\xe2\x80\x9d\nas the stated justification. For example, current SEC policy requires that\npasswords have at least\n                       and that the password expires every           . FDCC\nsecurity configuration requires passwords to consist of a minimum of 12\ncharacters with upper and lower case letters and numbers, and that the\npasswords expire every 90 days. C5i requested documentation from OIT\nstaff to obtain an understanding regarding the nature of OIT\xe2\x80\x99s \xe2\x80\x9cmanagement\ndecision\xe2\x80\x9d to deviate from this FDCC requirement, but we were informed that\nsupporting documentation was unavailable and no substantive explanation\nwas provided for the decision. Without proper documentation to support its\ndecision to deviate from the FDCC security requirements, OIT cannot\nadequately justify its management decision to not fully implement FDCC\xe2\x80\x99s\nsecurity requirements.\n\n        Recommendation 1:\n\n        The Office of Information Technology should identify all exceptions to\n        the Federal Desktop Core Configuration standards and submit them to\n        National Institute of Standards and Technology within 90 days of the\n        issuance date of this report.\n\n        Management Comments. OIT concurred with this recommendation.\n        See Appendix VI for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that OIT concurred with this\n        recommendation.\n\n\n\n\n7\n Documentation should be sent to this email address: checklists@nist.gov.\n8\n OMB\xe2\x80\x99s Memorandum for Heads of Executive Departments and Agencies, M-10-15, Subject: FY 2010\nReporting Instructions for the Federal Information Security Management Act and Agency Privacy\nManagement, http://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m10-15.pdf.\n2010 Annual FISMA Executive Report                                                         March 3, 2011\nReport No. 489\n                                               Page 4\n\x0c        Recommendation 2:\n\n        The Office of Information Technology should ensure justifications for\n        deviations to Federal Desktop Core Configurations requirements are\n        fully and adequately documented.\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix VI for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation.\n\n\nFinding 2: Network Accounts Are Not Properly\nTerminated When Users No Longer Require\nAccess to the Network\n         SEC network accounts for 14 employees who no longer\n         require access to the network were not disabled in a timely\n         manner. Additionally, two accounts were used to access\n         the SEC\xe2\x80\x99s network after the assigned account users were\n         no longer employed.\n\nSEC Network Systems and User Accounts for SEC Employees\nand Contractors\nTo ensure the protection of the SEC\xe2\x80\x99s network systems and data, user\naccounts for SEC employees and contractors that leave the SEC (e.g.,\nseparated/terminated staff) should be disabled on the employee\xe2\x80\x99s or\ncontractor\xe2\x80\x99s last day of work at the Commission. Account termination\nrequests are completed by an Information Technology (IT) Specialist or\nadministrative contact for the office/division where the person works.\nCompleted requests are submitted electronically to OIT. In the event of an\n\xe2\x80\x9cinvoluntary termination,\xe2\x80\x9d the Technical Assistance Center (TAC) and OIT\nsecurity should be notified immediately of the termination and the account\nshould then be disabled. User accounts for SEC employees and contractors\nthat are separated/terminated from the SEC but remain active after their\ndeparture pose a significant security risk to the Commission, because the\nSEC\xe2\x80\x99s network systems are vulnerable and could be compromised by these\nseparated/terminated staff whose access privileges remain active. In\naddition, separated/terminated staff could provide the SEC system\ninformation to a malicious party.\n\n\n2010 Annual FISMA Executive Report                                      March 3, 2011\nReport No. 489\n                                      Page 5\n\x0cOMB Circular A-123, Management\xe2\x80\x99s Responsibility for Internal Control,\nAppendix A, Internal Control over Financial Reporting requires agency\nmanagement to assess, document, test, and report on the effectiveness of\nInternal Control over Financial Reporting (ICFR) in its annual Performance\nand Accountability Report. The ICFR is a methodology designed to provide\nreasonable assurance regarding the reliability of financial reporting. The\nfollowing internal control elements are evaluated:\n\n    (1) Control environment;\n    (2) Risk assessment;\n    (3) Control activities;\n    (4) Information and communication; and\n    (5) Monitoring.\n\nC5i reviewed the results of the SEC\xe2\x80\x99s ICFR A-123 assessment that was\nconducted by the Office of Financial Management\xe2\x80\x99s (OFM) independent\ncontractors. As part of its assessment the OFM IT controls team issued a\nNotice of Findings and Recommendations (NFR) to OIT in August 2010,\nwhich identified the aforementioned deficiency and asked OIT, the control\nowners, to validate the results. The ICFR identified Active Directory (AD)\nnetwork accounts for separated/terminated SEC employees that were not\nbeing disabled in a timely manner. Specifically, the ICFR identified 14 SEC\nemployees who had departed from the SEC and whose AD network accounts\nwere not disabled after their departure. Further, the NFR indicated that two of\nthese employees\xe2\x80\x99 AD network accounts were logged into after the\nemployees\xe2\x80\x99 SEC termination date. As a result of OIT not promptly disabling\nuser accounts when access is no longer needed (i.e., because of separation\nor termination from the Commission), former employees accounts remained\nactive. Hence, a malicious party could have gained access to sensitive SEC\ndata and compromised the Commission\xe2\x80\x99s system. Further, terminated/\nseparated users with elevated privileges, (e.g., local administrative rights), 9\npose an even greater potential threat to the SEC data/network because these\nstaff\xe2\x80\x99s privilege levels allow for access to data/network that is generally not\navailable to normal users. OIT responded to OFM that they agreed with the\ndeficiency and would include it in their remediation efforts for IT security.\n\n\n\n\n9\n Local Administrative access provides users with higher privileges on their workstations than normal\nusers. This level of privilege allows the user to perform functions, such as installation of third party\nsoftware, removing or turning off settings, e.g., forced encryption.\n2010 Annual FISMA Executive Report                                                                  March 3, 2011\nReport No. 489\n                                                   Page 6\n\x0c        Recommendation 3:\n\n        The Office of Information Technology (OIT) should:\n\n            3a. Perform a thorough review and identify the universe of all\n                Commission user accounts.\n            3b. Once the universe has been identified, OIT should then identify\n                all \xe2\x80\x9cactive\xe2\x80\x9d and \xe2\x80\x9cinactive\xe2\x80\x9d user accounts and determine whether\n                any accounts should be disabled.\n            3c. Take immediate action to disable the accounts of employees\n                and contractors who no longer work at the Commission.\n\n        Management Comments. OIT concurred with this recommendation.\n        See Appendix VI for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that OIT concurred with this\n        recommendation.\n\n        Recommendation 4:\n\n        The Office of Information Technology should review their policies and\n        procedures for disabling accounts to ensure they are well-documented\n        and thorough, and provide training to appropriate staff regarding\n        account termination procedures.\n\n        Management Comments. OIT concurred with this recommendation.\n        See Appendix VI for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that OIT concurred with this\n        recommendation.\n\n\nFinding 3: The SEC Has Not Adequately\nImplemented the Personal Identity Verification\nfor Logical Access to All Employees and\nContractors\n        The SEC has not completed logical access integrations of\n        Personal Identity Verification (PIV) cards as required by the\n        Homeland Security Presidential Directive 12 (HSPD-12).\n\n\n\n\n2010 Annual FISMA Executive Report                                      March 3, 2011\nReport No. 489\n                                       Page 7\n\x0cPersonal Identity Verification\nThe SEC has not completed its rollout of the PIV badge to all employees and\ncontractors, as required by the HSPD-12 directive. As a result, all employees\nand contractors are not utilizing the PIV badge for logical access, as required\nby the HSPD-12 directive. Further, rollout of the technology to support the\nPIV program has not been completed. The HSPD-12 directive was published\nin August 2004, and outlined a \xe2\x80\x9cCommon Identification Standard for Federal\nEmployees and Contractors.\xe2\x80\x9d Per the HSPD-12 directive, the HSPD-12\nbadge should be used for both physical access (facilities) and logical access\n(networks). The directive states, \xe2\x80\x9cthe heads of executive departments and\nagencies shall, to the maximum extent practicable, require the use of\nidentification by Federal employees and contractors that meets the Standard\nin gaining physical access to Federally controlled facilities and logical access\nto Federally controlled information systems.\xe2\x80\x9d 10\n\nC5i was initially informed that the HSPD-12 badge rollout for all SEC staff and\ncontractors was to be completed by September 30, 2010. However, the full\nrollout date has now been changed to June 2011. As of December 31, 2010,\n3,311of 5,334 11 SEC employees and contractors were issued HSPD-12\nbadges. 12 However, C5i was unable to verify whether the total number of\ncontactors requiring PIV credentials is accurate because the Commission has\nnot been able to provide the OIG with a consolidated list of its current\ncontractors.\n\nOIT reported in its September 30, 2010 report to OMB that the projected\ncompletion of the HSPD-12 logical access integration was to be December\n30, 2011. However, OIT has now stated that it will not complete its roll-out of\nthe logical access requirement for HSPD-12 until it moves to a new operating\nsystem, because this will provide a cost savings to the government. OIT also\nindicated that it has identified concerns pertaining to the remote access of\nusers that use the HSPD-12 card. OIT stated it is performing further work on\nidentifying technology solutions for these remote access issues. In addition,\n\n10\n   Homeland Security Presidential Directive-12 (HSPD-12), Subject: Policies for a Common\nIdentification Standard for Federal Employees and Contractors, August 27, 2004,\nhttp://www.dhs.gov/xabout/laws/gc_1217616624097.shtm#1.\n11\n   The 3,311 SEC employees and contractors that were issued HSPD-12 badges was derived from the\ntotal number of PIV credentials the SEC issued to its employees 2,669 and the total number of PIV\ncredentials that were issued to contractors 642; as reported in the SEC\xe2\x80\x99s HSPD-12 Implementation\nStatus Report submitted to OMB on December 31, 2010. The 5,334 population of SEC employees and\ncontractors that were issued badges was derived from the total number of PIV credentials that were\nissued to SEC employees 2,669; the total number of PIV credentials that were issued to contactors 642;\nthe number of SEC employees needing PIV credentials 1,238; and the number of contractors needing\nPIV credentials 785; as reported in the SEC\xe2\x80\x99s HSPD-12 Implementation Status Report submitted to\nOMB on December 31, 2010.\n12\n   SEC\xe2\x80\x99s HSPD-12 Implementation Status Report submitted to OMB on December 31, 2010.\nhttp://www.sec.gov/about/piv_report_for_omb.pdf. SEC\xe2\x80\x99s HSPD-12 Implementation Status Report\nsubmitted to OMB on December 31, 2010.\n2010 Annual FISMA Executive Report                                                           March 3, 2011\nReport No. 489\n                                                Page 8\n\x0cas a result of delays in the SEC completing and adjudicating National Agency\nCheck Inquiries background investigations, the SEC has not completed its\nissuance of PIV credentials to all employees and contractors. Further, the\ndelays have impacted OIT\xe2\x80\x99s acquisition of technology to support logical\naccess using PIV credentials. As a result and by not adequately planning the\nimplementation of PIV for logical access, the agency is non-compliant with the\nHSPD-12 directive.\n\n        Recommendation 5:\n\n        The Office of Information Technology should complete the logical\n        access integration of the HSPD-12 card no later than December 2011,\n        as reported to the Office of Management Budget on December 31,\n        2010.\n\n        Management Comments. OIT concurred with this recommendation.\n        See Appendix VI for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that OIT concurred with this\n        recommendation.\n\n\nFinding 4: Administrative Access Privileges\nGranted to Some SEC Staff are Excessive\n        An excessive number of SEC employees and contractors\n        were unnecessarily granted administrative access privileges\n        on a permanent basis.\n\nSEC Administrative Access Privileges\nApproximately 1,000 SEC employees and contractors (users) have been\ngiven local administrative access privileges, which are considered \xe2\x80\x9celevated\nprivileges,\xe2\x80\x9d on a permanent basis, but their job functions do not necessarily\nrequire this level of privilege, other than on a temporary basis. The NIST\nRecommended Security Controls for Federal Information Systems and\nOrganizations, guidance states, \xe2\x80\x9cThe organization employs the concept of\nleast privilege, allowing only authorized accesses for users (and processes\nacting on behalf of users) which are necessary to accomplish assigned tasks\nin accordance with organizational missions and business functions\xe2\x80\x9d. 13 Local\n\n13\n   The National Institute of Standards and Technology, Recommended Security Controls for Federal\nInformation Systems and Organizations, Special Publication 800-53, Revision 3, page F-9,\nhttp://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-\n2010.pdf.\n2010 Annual FISMA Executive Report                                                           March 3, 2011\nReport No. 489\n                                                Page 9\n\x0cadministrative access privileges for workstations consist of elevated privileges\nthat allow users to install software on their systems, change configurations,\ni.e., disabling mandatory encryption for portable media, etc. Local\nadministrative privileges are usually granted to SEC employees and\ncontractors such as system administrators, whose job function requires a\nhigher level of access in order to manage the network and workstations that\nare a part of their job responsibilities. There are occasions when users may\nneed to install software on their desktops, such as CyberScope to respond to\nthe OMB FISMA questionnaire. However, these user privileges should\ngenerally be granted within a set or limited amount of time, such as 60 - 90\nminutes. Based on interviews conducted with OIT personnel and of the users\nthat were identified as having elevated privileges, C5i determined that\nadministrative access was unnecessarily granted to an excessive number of\nusers on a permanent basis.\n\nWe also took a judgmental sampling of the names of current SEC employees\nand contractors who had elevated privileges and compared them to the\nSEC\xe2\x80\x99s email and phone directory and determined that some SEC employees\nand contractors with elevated privileges appeared to no longer work at the\nCommission. Having an excessive number of users with elevated\nadministrative access privileges that are not needed for daily job\nresponsibilities increases the risk that unauthorized software may be installed\non workstations and the standard controls set by OIT may be altered. Also, if\nuser accounts with elevated privileges are compromised, a malicious party\nmay have an easier time accessing the SEC\xe2\x80\x99s networks.\n\n        Recommendation 6:\n\n        The Office of Information Technology should conduct a full review and\n        identify the universe of all users with elevated privileges.\n\n        Management Comments. OIT concurred with this recommendation.\n        See Appendix VI for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that OIT concurred with this\n        recommendation.\n\n        Recommendation 7:\n\n        Based on the review results from recommendation 6, the Office of\n        Information Technology should enforce or develop procedures to\n        ensure:\n\n            7a. Only users whose job function require permanent elevated\n                access have the needed privileges;\n\n2010 Annual FISMA Executive Report                                      March 3, 2011\nReport No. 489\n                                     Page 10\n\x0c            7b. Business justification are fully documented; and\n            7c. Elevated privileges are only issued for the finite amount of time\n                needed to complete assigned task.\n\n        Management Comments. OIT concurred with this recommendation.\n        See Appendix VI for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that OIT concurred with this\n        recommendation.\n\n        Recommendation 8:\n\n        The Office of Information Technology should maintain an accurate and\n        current list of all users that have elevated privileges.\n\n        Management Comments. OIT concurred with this recommendation.\n        See Appendix VI for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that OIT concurred with this\n        recommendation.\n\n\n\n\n2010 Annual FISMA Executive Report                                        March 3, 2011\nReport No. 489\n                                       Page 11\n\x0c                                                                        Appendix I\n\n\n                                     Acronyms\nAD                        Active Directory\nBIA                       Business Impact Assessment\nC&A                       Certification and Accreditation\nCIO                       Chief Information Officer\nCISO                      Chief Information Security Officer\nCM/QA                     Configuration Management and Quality Assurance\nCMU/SEI                   Carnegie Mellon University Software Engineering Institute\nCOOP/DR                   Continuity of Operations/Disaster Recovery\nCOTR                      Contracting Office Technical Representative\nCSAM                      Cyber Security Assessment and Management\nDOJ                       Department of Justice\nESM                       Enterprise Security Manager\nFCD                       Federal Continuity Directive\nFDCC                      Federal Desktop Core Configuration\nFIPS                      Federal Information Processing Standards\nFISMA                     Federal Information Security Management Act\nGAO                       Government Accountability Office\nGSA                       General Services Administration\nGSS                       General Support System\nHSPD-12                   Homeland Security Presidential Directive 12\nICFR                      Internal Control over Financial Reporting\nIDS                       Intrusion Detection System\nIG                        Inspector General\nII                        Implementing Instruction\nIPS                       Intrusion Prevention System\nISA                       Interconnection Security Agreement\nIT                        Information Technology\nJSAS                      Joint State-USAID\nLAN                       Local Area Network\nMEF                       Mission Essential Functions\nMOU                       Memoranda of Understanding\nNEF                       National Essential Functions\nNIST                      National Institute of Standards and Technology\nO-CCB                     Operations Configuration Change Board\nOD                        Operating Directive\nOFM                       Office of Financial Management\nOHR                       Office of Human Resources\n2010 Annual FISMA Executive Report                                       March 3, 2011\nReport No. 489\n                                        Page 12\n\x0c                                                                   Appendix I\n\n\nOIG                       Office of Inspector General\nOIT                       Office of Information Technology\nOMB                       Office of Management and Budget\nOP                        Operating Procedure\nPIN                       Personal Identification Number\nPIV                       Personal Identity Verification\nPMEF                      Primary Mission Essential Functions\nPOA&M                     Plan of Actions and Milestones\nQM                        Quality Management\nSANS                      SysAdmin, Audit, Network, Security\nSCR                       System Change Request\nSEC                       Securities and Exchange Commission\nSP                        Special Publication\nSSL                       Secure Sockets Layer\nSSP                       System Security Plan\nST&E                      Security Test and Evaluation\nTAC                       Technical Assistance Center\nUS-CERT                   United States Computer Emergency Readiness Team\n\n\n\n\n2010 Annual FISMA Executive Report                                  March 3, 2011\nReport No. 489\n                                      Page 13\n\x0c                                                                     Appendix II\n\n\n                     Scope and Methodology\nScope. We conducted our fieldwork for this evaluation from September 2010 to\nNovember 2010.The FISMA evaluation was conducted from August 2010 to\nNovember 2010 and the scope of the review consisted of the following areas that\nare found in \xe2\x80\x9cOMB Memorandum M-10-15,\xe2\x80\x9d for completing the OIG section of the\nFiscal Year 2010 OMB FISMA questionnaire:\n\n   \xe2\x80\xa2   Certification and Accreditation Processes and Procedures.\n   \xe2\x80\xa2   Configuration Management.\n   \xe2\x80\xa2   Incident Response and Reporting.\n   \xe2\x80\xa2   Annual Security Awareness Training.\n   \xe2\x80\xa2   Plan of Action and Milestones (POA&M) Processes and Procedures.\n   \xe2\x80\xa2   Remote Access Processes and Procedures.\n   \xe2\x80\xa2   Identity and Account Management.\n   \xe2\x80\xa2   Continuous Monitoring.\n   \xe2\x80\xa2   Contingency Planning and Testing.\n   \xe2\x80\xa2   Commission Oversight of Contractor Systems.\n\nThis evaluation focused on the FISMA which requires the SEC OIG to perform an\nannual, independent evaluation of the agency\xe2\x80\x99s information security policies,\npractices, and procedures. C5i conducted a review of the Commission\xe2\x80\x99s IT\nsecurity program (as required by the Act) based on guidance that was issued by\nthe OMB and NIST. In order to provide OIG\xe2\x80\x99s recommended responses to the\nOMB online tool (e.g., information security and privacy items) C5i\xe2\x80\x99s review\nincluded an evaluation of the major security components for FISMA 2010.\n\nC5i completed all data collection instruments related to FISMA 2010 and\n(1) Performed the necessary evaluation procedures to answer those questions to\nbe published by OMB in its reporting guidance, (2) Compiled an Executive\nSummary for the SEC\xe2\x80\x99s OIG, and (3) Performed a detailed security evaluation of\ntwo of the SEC\xe2\x80\x99s major security components. The applicable government laws,\ndirectives, regulations, and publications pertinent in support of this evaluation\ninclude the following:\n\n   \xe2\x80\xa2   Federal Information Systems Control Audit Manual (FISCAM);\n   \xe2\x80\xa2   OMB Circular A-130 Management of Federal Information Resources;\n   \xe2\x80\xa2   OMB\xe2\x80\x99s FY 2007 FISMA Evaluation and Reporting Guidance;\n   \xe2\x80\xa2   Computer Security Act of 1987;\n   \xe2\x80\xa2   The Clinger-Cohen Act of 1996 (the Information Technology Management\n       Reform Act);\n   \xe2\x80\xa2   Federal Information Security Management Act of 2002 (FISMA);\n   \xe2\x80\xa2   NIST Federal Information Processing Standards (FIPS);\n   \xe2\x80\xa2   Special Publications from the NIST 800 Series;\n   \xe2\x80\xa2   E-Government Act of 2002;\n2010 Annual FISMA Assessment                                         March 3, 2011\nReport No. 489\n                                    Page 14\n\x0c                                                                      Appendix II\n\n\n   \xe2\x80\xa2   OMB Memorandum M-06-16;\n   \xe2\x80\xa2   SEC employees and contractors; and\n   \xe2\x80\xa2   OIT policies and procedures pertinent to required areas.\n\nMethodology. To meet the objective to complete the IG portion of the annual\nFISMA questionnaire, C5i conducted interviews with key personnel, made\nindependent observations, and examined documentation provided by SEC\nofficials. Interviews with key personnel included systems owners, business line\nmanagers, OIT representatives, and OIG personnel. These interviews were\nfurther held to garner issues that were germane to completing the OIG portion of\nthe 2010 FISMA reporting requirement for OMB. We reviewed pertinent records\nand supporting documentation (such as policies, procedures, roles and\nresponsibilities) to address the evaluation objective. Our review of policies and\nprocedures also included discussions with SEC officials and covered the ten\nareas identified in the scope.\n\nC5i staff members reviewed OIT\xe2\x80\x99s C&A packages, including POA&Ms, Incident\nResponse documentation, pertinent policies and procedures, etc., to ensure\ncompliance with FISMA, NIST, and OMB guidance. In addition to interviewing\nkey personnel, C5i, Inc. also reviewed an extensive collection of system artifacts,\npolicies, procedures and other documentation relating to the systems and issues\nidentified above. Our analysis was based on all the information provided from\nvarious sources, including testimonial evidence, prior audit coverage, and\ndocumentation and artifacts provided to C5i.\n\nManagement Controls. Consistent with the audit objectives, we did not assess\nOIT\xe2\x80\x99s management control structure or its internal controls. C5i reviewed\nexisting controls at the Commission considered specific to 2010 FISMA OIG\nQuestionnaire (detailed above in the Scope). To thoroughly understand OIT\xe2\x80\x99s\nmanagement controls pertaining to its policies and procedures, methods of\noperation, and procedures, we relied on information requested and supplied by\nOIT staff member and interviews we had with various OIT personnel.\n\nUse of Computer-Processed Data. We did not assess the reliability of OIT\xe2\x80\x99s\ncomputers because it did not pertain to our objectives for this evaluation.\nFurther, we did not perform any tests on the general or application controls over\nOIT\xe2\x80\x99s automated systems, as this was not in scope. The information that was\nretrieved from this system as well as the requested artifacts provided to us were\nsufficient, reliable, and adequate enough to use in meeting our stated objectives.\nWe further reviewed the following computer processed data (e.g., Excel\nspreadsheets and MS Project plans) that OIT staff members provided to us:\n\n   \xe2\x80\xa2   Hardware and software inventory to document C5i\xe2\x80\x99s response to Section\n       2, Questions 2 and 3;\n   \xe2\x80\xa2   Compliance workbook detailing the status of Certification and\n       Accreditation of SEC systems (Section 1);\n2010 Annual FISMA Assessment                                           March 3, 2011\nReport No. 489\n                                     Page 15\n\x0c                                                                   Appendix II\n\n\n   \xe2\x80\xa2   List of patches deployed on SEC systems January 1, 2010 \xe2\x80\x93 September\n       30, 2010 (Section 2);\n   \xe2\x80\xa2   List of SEC Network Users with Local Administrative Access Privileges\n       (Section 7);\n   \xe2\x80\xa2   List of FDCC exceptions (Section 2); and\n   \xe2\x80\xa2   HSPD-12 Implementation Plan (Section 7).\n\nPrior Audit Coverage. C5i reviewed the 2009 FISMA Executive Summary,\nReport No. 472, March 26, 2010, which had no recommendations. In the OIG\nreport entitled, The Evaluation of the SEC Privacy Program, Report No. 475,\nMarch 26, 2010, all the recommendations have all been fully implemented and\nclosed. Our review of the Evaluation of the SEC Encryption Program, Report No.\n476, March 26, 2010 and the Assessment of SEC\xe2\x80\x99s Privacy Program, Report No.\n485, September 29, 2010 found that OIT is diligently working on the\nrecommendations. Though OIT has implemented and closed several\nrecommendations, several recommendations are still pending and remain open.\n\nJudgmental Sampling. C5i reviewed an Excel spreadsheet OIT staff provided\nus which consisted of approximately 1,000 SEC users (employees and\ncontractors) that were identified as having indefinite local administrative\nprivileges, as of October 31, 2010. The spreadsheet included the names of\ncurrent SEC employees and contractors, the type of privilege authorized, office\nphone number, grade/contractor, and assigned office. We judgmentally selected\nnames from the spreadsheet based on the type of privilege that had been\ngranted and checked whether the users had active SEC email accounts and\nphone numbers. This was done to verify whether or not these personnel still\nworked at the Commission. We did not identify any separated/terminated SEC\nusers.\n\n\n\n\n2010 Annual FISMA Assessment                                       March 3, 2011\nReport No. 489\n                                   Page 16\n\x0c                                                                      Appendix III\n\n\n                       Criteria and Guidance\nOMB Memorandum M-10-15, FY 2010 Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management.\nProvides instructions for meeting agency FY 2010 reporting requirements under\nthe Federal Information Security Management Act of 2002 (FISMA) (Title III, Pub.\nL. No. 107-347).\n\nOMB Memorandum M-07-16, Safeguarding Against and Responding to the\nBreach of Personally Identifiable Information (May 22, 2007). Requires agencies\nto develop and implement a breach notification policy. This is a responsibility\nshared by officials accountable for administering operational and privacy and\nsecurity programs, legal counsel, Agencies\xe2\x80\x99 Inspectors General and other law\nenforcement, and public and legislative affairs. It is also a function of applicable\nlaws, such as the Federal Information Security Management Act of 2002 (FISMA)\nand the Privacy Act of 1974.\n\nOMB Memorandum M-06-19, Reporting Incidents Involving Personally\nIdentifiable Information and Incorporating the Cost for Security in Agency\nInformation Technology Investments (July 12, 2006). Provides updated guidance\non the reporting of security incidents involving personally identifiable information\nand to remind you of existing requirements, and explain new requirements your\nagency will need to provide addressing security and privacy in your fiscal year\n2009 budget submissions for information technology.\n\nOMB Memorandum M-06-16, Protection of Sensitive Agency Information (June\n23, 2006). Recommends actions that are needed to protect sensitive information.\n\nOMB Memorandum M-06-15, Safeguarding Personally Identifiable Information\n(May 22, 2006). Re-emphasizes agency responsibilities under law and policy to\nappropriately safeguard sensitive personally identifiable information and to train\nemployees on their responsibilities.\n\nOMB Memorandum M-03-22, Guidance for Implementing Privacy Provisions of\nthe E-Government Act of 2002 (September 30, 2003). Provides information to\nagencies on implementing the E-Government Act of 2002 privacy provisions,\nsigned by the President on December 17, 2002 and effective April 17, 2003.\n\nNIST SP 800-53, Revision 3 Recommended Security Controls for Federal\nInformation Systems and Organizations, Special Publication 800-53, Revision 3.\nProvides details for the 18 Security Control families that are used to assess\ninformation systems and it provides guidance for implementation.\n\n\n\n\n2010 Annual FISMA Assessment                                           March 3, 2011\nReport No. 489\n                                     Page 17\n\x0c                                                                      Appendix III\n\nNIST SP 800-72, Guidelines on PDA Forensics. This guide provides an in-depth\nlook into PDAs and explaining the technologies involved and their relationship to\nforensic procedures. It covers three families of devices: (1) Pocket PC, (2) Palm\nOS, and (3) Linux-based PDAs, and the characteristics of the devices associated\noperating system.\n\nNIST SP 800-83, Guide to Malware Incident Prevention and Handling. This\npublication provides recommendations for improving an organizations malware\nincident prevention measures. It also gives extensive recommendations for\nenhancing an organizations existing incident response capability so that it is\nbetter prepared to handle malware incidents, particularly widespread ones. The\nrecommendations address several major forms of malware, including viruses,\nworms, Trojan horses, malicious mobile code, blended attacks, spyware tracking\ncookies, and attacker tools such as backdoors and rootkits. The\nrecommendations encompass various transmission mechanisms, including\nnetwork services (e.g., e-mail, Web browsing, file sharing) and removable media.\n\nNIST SP 800-86, Guide to Integrating Forensic Techniques into Incident\nResponse. This guide provides detailed information on establishing a forensic\ncapability, including the development of policies and procedures. The guide\xe2\x80\x99s\nfocus is primarily on using forensic techniques to assist with computer security\nincident response, but much of the material is also applicable to other situations.\n\nNIST SP 800-101, Guidelines on Cell Phone Forensics. The objective of the\nguide is twofold: (1) Helps organizations evolve appropriate policies and\nprocedures for dealing with cell phones, and (2) Prepares forensic specialists to\ncontend with new circumstances involving cell phones, when they arise.\n\nCMU/SEI-2003-HB-001, Organizational Models For Computer Security Incident\nResponse Teams (CSIRTs). The handbook describes different organizational\nmodels for implementing incident handling capabilities, including each model\xe2\x80\x99s\nadvantages and disadvantages and the kinds of incident management services\nthat are the best fit.\n\nCMU/SEI-20030TR-001, State of the Practice of Computer Security Incident\nResponse Teams (CSIRTs). Provides an objective study of the state of the\npractice of incident response, based on information about how CSIRTs around\nthe world are operating. The report covers CSIRT services, projects, processes,\nstructures, and literature, as well as training, legal, and operational issues.\n\nCMU/SEI-2003-HB-002, Handbook for Computer Security Incident Response\nTeams (CSIRTs). Proposes an intrusion-aware design model called trustworthy\nrefinement through intrusion-aware design (TRIAD). TRIAD helps information\nsystem decision makers formulate and maintain a coherent, justifiable, and\naffordable survivability strategy that addresses mission-compromising threats for\ntheir organization.\n\n2010 Annual FISMA Assessment                                           March 3, 2011\nReport No. 489\n                                     Page 18\n\x0c                                                                       Appendix III\n\n\n\nCMU/SEI-2004-TR-015, Defining Incident Management Processes for CSIRTs.\nPresents a prototype best practice model for performing incident management\nprocesses and functions. It defines the model through five high-level incident\nmanagement processes: Prepare/Sustain/Improve, Protect Infrastructure, Detect\nEvents, Triage Events, and Respond. Workflow diagrams and descriptions are\nprovided for all processes.\n\nCMU/SEI-2005-HB-001, First Responders Guide to Computer Forensics. The\nhandbook is for technical staff charged with administering and securing\ninformation systems and networks and it targets a critical training gap in the fields\nof information security, computer forensics, and incident response.\n\nSAND98-8667, A Common Language for Computer Security Incidents. Presents\nthe results of a project to develop a common language for computer security\nincidents. The project results are based on the cooperation of the Security and\nNetworking Research Group and the CERT\xc2\xae Coordination Center.\n\nFederal Information Security Management Act of 2002, Title III, Pub. L. No.\n107-347. Requires federal agencies to develop, document, and implement an\nagency-wide program providing security for the information and information\nsystems that support the operations and assets of the agency, including those\nprovided or managed by another agency, contractor, or other source.\n\nHomeland Security Presidential Directive-12 (HSPD-12), Policies for a\nCommon Identification Standard for Federal Employees and Contractors.\nProvides guidance and details for implementing a common identification standard\nthroughout federal agencies.\n\nE-Government Act of 2002 (P.L. 107-347). Enacted on December 17, 2002\nwith an effective date of April 17, 2003, to improve the management and\npromotion of electronic government services and processes.\n\nFederal Information Processing Standard Publication 199 (FIPS 199),\nStandards for Security Categorization of Federal Information and Information\nSystems. Provides guidance on the proper categorization of an information\nsystem based on the security level of the information contained in the system.\n\nFederal Information Processing Standard Publication 200, (FIPS 200),\nMinimum Security Requirements for Federal Information and Information\nSystems. Outlines the minimum security requirements for the security of Federal\ninformation system.\n\n\n\n\n2010 Annual FISMA Assessment                                            March 3, 2011\nReport No. 489\n                                      Page 19\n\x0c                                                                     Appendix IV\n\n\n                    List of Recommendations\n\nRecommendation 1:\n\nThe Office of Information Technology should identify all exceptions to the Federal\nDesktop Core Configuration standards and submit them to National Institute of\nStandards and Technology within 90 days of the issuance date of this report.\n\nRecommendation 2:\n\nThe Office of Information Technology should ensure justifications for deviations\nto Federal Desktop Core Configurations requirements are fully documented.\n\nRecommendation 3:\n\nThe Office of Information Technology (OIT) should:\n\n          3a. Perform a thorough review and identify the universe of all\n              Commission user accounts.\n          3b. Once the universe has been identified, OIT should then identify all\n              \xe2\x80\x9cactive\xe2\x80\x9d and \xe2\x80\x9cinactive\xe2\x80\x9d user accounts and determine whether or not\n              the accounts should be disabled.\n          3c. Take immediate action to disable the accounts of employees and\n              contractors who no longer work at the Commission.\n\nRecommendation 4:\n\nThe Office of Information Technology should review policies and procedures for\ndisabling accounts to ensure they are well-documented and thorough, and\nprovide training to appropriate staff regarding account termination procedures.\n\nRecommendation 5:\n\nThe Office of Information Technology should complete the logical access\nintegration of the HSPD-12 card no later than December 2011, as reported to the\nOffice of Management and Budget on December 31, 2010.\n\nRecommendation 6:\n\nThe Office of Information Technology should conduct a full review and identify\nthe universe of all users with elevated privileges.\n\n\n\n\n2010 Annual FISMA Assessment                                          March 3, 2011\nReport No. 489\n                                    Page 20\n\x0c                                                                   Appendix IV\n\nRecommendation 7:\n\nBased on the review results from recommendation 6, the Office of Information\nTechnology should enforce or develop procedures to ensure:\n\n          7a. Only users whose job function require permanent elevated access\n              have the needed privileges;\n          7b. Business justification are fully documented; and\n          7c. Elevated privileges are only issued for the finite amount of time\n              needed to complete assigned task.\n\nRecommendation 8:\n\nThe Office of Information Technology should maintain an accurate and current\nlist of all users that have elevated privileges.\n\n\n\n\n2010 Annual FISMA Assessment                                        March 3, 2011\nReport No. 489\n                                    Page 21\n\x0c                                                                                           Appendix V\n\n\n         OIG\xe2\x80\x99s Response to the OMB Questionnaire\n\nSection 1: Status of Certification and\nAccreditation Program\nBackground. Certification and Accreditation (C&A) is required by the Federal\nInformation Security Management Act (FISMA) of 2002, 14 and is the process\nused to evaluate systems and major applications to ensure adherence to formal\nand established security requirements that are well documented and authorized.\nAll systems and applications that reside on U.S. government networks must be\nevaluated with a formal C&A before it is put into production. Systems are\nevaluated annually (referred to as \xe2\x80\x9cContinuous Monitoring\xe2\x80\x9d) and are re-accredited\nevery three years, or sooner if major changes to the systems are made. The\ndocuments that comprise a C&A package include:\n\n     \xe2\x80\xa2   System Security Plan (SSP);\n     \xe2\x80\xa2   Risk Assessment \xe2\x80\x93 Business and System;\n     \xe2\x80\xa2   Categorization and Certification Level Recommendation;\n     \xe2\x80\xa2   Hardware and Software Inventory;\n     \xe2\x80\xa2   Self-Assessment;\n     \xe2\x80\xa2   Security Awareness and Training Plan;\n     \xe2\x80\xa2   Rules of Behavior for the End User;\n     \xe2\x80\xa2   Incident Response Plan;\n     \xe2\x80\xa2   Security Test and Evaluation (ST&E);\n     \xe2\x80\xa2   Privacy Impact Assessment;\n     \xe2\x80\xa2   Contingency Plan & Recent Test Results;\n     \xe2\x80\xa2   Configuration Management Plan;\n     \xe2\x80\xa2   Security Assessment Reports \xe2\x80\x93 Physical and Environmental, Network and\n         Application Assessments;\n     \xe2\x80\xa2   Plan of Action and Milestones (POA&M); and\n     \xe2\x80\xa2   Authorization Memorandum.\n\nIn the performance of a C&A, all information systems are given a risk impact\ncategorization based on the Federal Information Processing Standards (FIPS)\nPublication 199 Standards for Security Categorization of Federal Information and\nInformation Systems. 15 The impact level category for the system determines the\nscope of the C&A effort, for example, a low impact system will not be assessed\nas stringently as a high impact system. Information systems are categorized and\n\n14\n   Federal Information Security Management Act of 2002 (Title III, Pub. L. No. 107-347),\nhttp://csrc.nist.gov/drivers/documents/FISMA-final.pdf.\n15\n   Federal Information Processing Standards (FIPS) Publication 199 Standards for Security Categorization\nof Federal Information and Information Systems, http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-\nfinal.pdf.\n2010 Annual FISMA Assessment                                                                March 3, 2011\nReport No. 489\n                                                Page 22\n\x0c                                                                                          Appendix V\n\ndesignated as low, moderate, or high impact and are based on the level of\nadverse effect a data breach could have on an organization\xe2\x80\x99s operations, assets,\nand personnel. If a data breach occurs on a low impact system, the impact is\nexpected to be limited. If a data breach occurs on a moderate system, there is a\nmore serious impact. Data breaches on high systems have a severe or\ncatastrophic impact.\n\nNIST Special Publication (SP) 800-53, Recommended Security Controls for\nFederal Information Systems and Organizations 16 provides control families (e.g.,\nAccess Control, Incident Response, Identification and Authentication) that are\nused when assessing a system for a C&A and what impact level system that\napply. The examples shown below demonstrate that the control applies to Low,\nMedium and High impact level systems.\n\n        Example\n          AU-11 AUDIT RECORD RETENTION 17\n\n          Control: The organization retains audit records for [Assignment:\n          organization-defined time period consistent with records retention policy]\n          to provide support for after-the-fact investigations of security incidents\n          and to meet regulatory and organizational information retention\n          requirements.\n\n          LOW AU-11                 MOD AU-11                  HIGH AU-11\n\nResults of Assessment. The SEC has developed, documented, and\nimplemented policies and procedures for their C&A program that follows NIST,\nOMB, and FIPS 18 framework and guidance. 19 We found that the SEC\xe2\x80\x99s C&A\nprocess provides risk categories, has adequate risk assessments, uses the\nselection of appropriate controls, testing of controls are done, and regularly\n\n\n\n\n16\n    The National Institute of Standards and Technology Special Publication 800-53, \xe2\x80\x9cRecommended Security\nControls for Federal Information Systems and Organizations,\xe2\x80\x9d Appendix F, p. F1-F132.\n17\n   Id. Appendix F, p. F-30.\n18\n    Federal Information Processing Standard Publications 199, \xe2\x80\x9cStandards for Security Categorization of\nFederal Information and Information Systems\xe2\x80\x9c; FIPS 200, \xe2\x80\x9cMinimum Security Requirements for Federal\nInformation and Information Systems\xe2\x80\x9d, The National Institute of Standards and Technology Special\nPublication 800-53, \xe2\x80\x9cRecommended Security Controls for Federal Information Systems and Organizations\xe2\x80\x9d;\nSpecial Publication 800-60, \xe2\x80\x9cGuide for Mapping Types of Information and Systems to Security Categories\xe2\x80\x9d,\nThe National Institute of Standards and Technology Special Publication 800-53, \xe2\x80\x9cA Guide for Assessing\nSecurity Controls in Federal Information Systems, Building Effective Security Assessment Plans\xe2\x80\x9d, The\nNational Institute of Standards and Technology Special Publication 800-37, \xe2\x80\x9cGuide for Applying the Risk\nManagement Framework to Federal Information Systems: A Security Life Cycle Approach,\xe2\x80\x9d Office of\nManagement and Budget Circular A-130, Appendix III, Security of Federal Automated Information\nResources.\n19\n   SECR 24-04, Information Technology Security Program, October 4, 2005, OD 24-04.10 IT Security\nCompliance Program, April 12, 2006, II 24-04.10.01 Implementing Instruction: IT Security Certification and\nAccreditation, June 29, 2005, II 24-04.10.02 Implementing Instruction: IT Security Risk Management,\nDecember 22, 2005, II 24-04.10.03 IT Security Assessments, April 28, 2006, OD 24-04.10 IT Security\nCompliance, April 12, 2006.\n2010 Annual FISMA Assessment                                                              March 3, 2011\nReport No. 489\n                                               Page 23\n\x0c                                                                                         Appendix V\n\nmonitors system risks and the adequacy of controls. 20 Our review of a C&A\npackage found that OIT applies guidance and the best practices defined in the\nNIST and OMB guidance. Further, we found that authorizing officials are\npresented with a complete C&A package to facilitate informed system\nauthorizations, to operate decisions based on risks and controls that are\nimplemented. OIT staff documents deficiencies in the POA&M and tracks them\nfor remediation.\n\nIn 2008, the Commission purchased the Department of Justice (DOJ) sponsored,\nweb-enabled Cyber Security Assessment and Management (CSAM) tool to\nassist in performing and tracking all C&A activities. The CSAM tool was\ndeployed at the Commission in March 2009. OIT uses CSAM to track system\ninventory, the security categorization of each information system, the status of\nC&A activities, weakness descriptions and remediation plans in the form of\nPOA&M\xe2\x80\x99s, NIST 800-53 control assessment results, audit finding maintenance,\nmonitoring, FISMA quarterly reports, and OIG and Government Accountability\nOffice (GAO) audit recommendations. 21 See screenshots of the CSAM functions\nOIT uses to track C&A activities in Appendix VIII.\n\nSpecific to question 1.a.1, C5i found that the Commission has documented its\npolicies and procedures for performing C&A\xe2\x80\x99s. Staff\xe2\x80\x99s roles and responsibilities\nare defined and documented to ensure the process is completed and guidance\nfrom NIST standards and OMB guidance are used. 22 23 The SEC has developed\nand implemented policies and procedures to establish the Commission\xe2\x80\x99s C&A\nprogram. 24\n\nFurther, C5i found through its review of artifacts provided by OIT (e.g., ST&E,\nPOA&M, System Security Plan (SSP), and Risk Assessment) that the artifacts\nwere consistent with guidance and best practices defined in relevant NIST\nstandards and OMB guidance. The Commission\xe2\x80\x99s C&A\xe2\x80\x99s are performed by an\nindependent third-party. 25 26\n\n20\n   As noted in the Assessment of SEC\xe2\x80\x99s Privacy Program, Report No. 485, dated September 29, 2010, C5i\nrecommended that OIT should evaluate its risk assessment process for scoring risk to ensure that it\nadequately weighs all appropriate factors, including the identification of risk levels by vendors.\n21\n   The National Institute of Standards and Technology Special Publication 800-53, \xe2\x80\x9cRecommended Security\nControls for Federal Information Systems and Organizations.\xe2\x80\x9d\n22\n   The National Institute of Standards and Technology\xe2\x80\x99s 800-37, \xe2\x80\x9cGuide for the Security Certification and\nAccreditation of Federal Information Systems,; The National Institute of Standards and Technology 800-53,\n\xe2\x80\x9cRecommended Security Controls for Federal Information Systems and Organizations\xe2\x80\x9c; The National\nInstitute of Standards and Technology 800-53A, and \xe2\x80\x9cGuide for Assessing the Security Controls in Federal\nInformation Systems.\xe2\x80\x9d\n23\n   Office of Management and Budget Circular A-130 \xe2\x80\x9cSecurity of Federal Automated Information Resources.\xe2\x80\x9d\n24\n   SEC Policy II 24-04.10.01 (02.0) Implementing Instruction: IT Security Certification and Accreditation,\nJune 29, 2005.\n25\n   The National Institute of Standards and Technology 800-37, \xe2\x80\x9cGuide for the Security Certification and\nAccreditation of Federal Information Systems\xe2\x80\x9d; The National Institute of Standards and Technology 800-53,\n\xe2\x80\x9cRecommended Security Controls for Federal Information Systems and Organizations\xe2\x80\x9c; The National\nInstitute of Standards and Technology 800-53A, and \xe2\x80\x9cGuide for Assessing the Security Controls in Federal\nInformation Systems.\xe2\x80\x9d\n26\n   Office of Management and Budget Circular A-130 \xe2\x80\x9cSecurity of Federal Automated Information Resources.\xe2\x80\x9d\n2010 Annual FISMA Assessment                                                              March 3, 2011\nReport No. 489\n                                               Page 24\n\x0c                                                                                              Appendix V\n\nResponse. In response to question 1 on the OMB template, based on interviews\nand reviews of C&A packages and as indicated above, we determined that the\nCommission has an established a C&A program. In addition, the SEC is\nmaintaining a C&A program that is generally consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s\nFISMA requirements.\n\nIn questions 1.a.2 through 1.a.7, C5i found that the C&A process provides\nappropriate risk categories, risk assessments, the selection of appropriate\ncontrols, the testing of controls, and regular monitoring of system risks and the\nadequacy of controls. However, as was recommended in Report No. 485, OIT\nshould evaluate its risk assessment process for scoring risk to ensure that it\nadequately weighs all appropriate factors, including the identification of risk levels\nby vendors.\n\nConcerning question 1.a.8, the accreditation official is presented with complete\nand reliable C&A information 27 related to the risks and controls of the system\nwhich facilitates the authorizing office\xe2\x80\x99s ability to make informed decisions. All\ndeficiencies are documented in the POA&M which contains the plan for\nremediation, responsible party, etc. We provided our response to question 1 as\nshown in Table 1 below.\n\n     Table 1: OIG Response to Question 1\n       ID                     Questions from OMB Questionnaire                               Response\n     1a.       The Agency has established and is maintaining a certification and\n               accreditation program that is generally consistent with NIST\'s and\n               OMB\'s FISMA requirements. Although improvement opportunities                      Yes\n               may have been identified by the OIG, the program includes the\n               following attributes:\n     1.a.1     Documented policies and procedures describing the roles and\n               responsibilities of participants in the certification and accreditation\n               process.\n     1.a.2     Establishment of accreditation boundaries for agency information\n               systems.\n     1.a.3     Categorizes information systems.\n     1.a.4     Applies applicable minimum baseline security controls.\n     1.a.5     Assesses risks and tailors security control baseline for each\n               system.\n     1.a.6     Assessment of the management, operational, and technical\n               security controls in the information system.\n     1.a.7     Risks to Agency operations, assets, or individuals analyzed and\n               documented in the system security plan, risk assessment, or an\n               equivalent document.\n     1.a.8     The accreditation official is provided (i) the security assessment\n               report from the certification agent providing the results of the\n               independent assessment of the security controls and\n\n27\n   The accreditation official is provided (i) the security assessment report from the certification agent\nproviding the results of the independent assessment of the security controls and recommendations for\ncorrective actions; (ii) the plan of action and milestones from the information system owner indicating actions\ntaken or planned to correct deficiencies in the controls and to reduce or eliminate vulnerabilities in the\ninformation system; and (iii) the updated system security plan with the latest copy of the risk assessment.\n2010 Annual FISMA Assessment                                                                  March 3, 2011\nReport No. 489\n                                                 Page 25\n\x0c                                                                                       Appendix V\n\n              recommendations for corrective actions; (ii) the plan of action and\n              milestones from the information system owner indicating actions\n              taken or planned to correct deficiencies in the controls and to\n              reduce or eliminate vulnerabilities in the information system; and\n              (iii) the updated system security plan with the latest copy of the\n              risk assessment.\n     Source: OMB FISMA Web Portal\n\n\n\n\nSection 2: Status of Security Configuration\nManagement\nBackground. A Security Configuration Management Program consists of the\nactivities surrounding the maintenance of the security configuration of a system\nor network in order to effectively manage risk. The program consists of patch\nmanagement and the remediation of vulnerabilities, regular scans of the network\nfor vulnerabilities, establishment of a standard baseline configuration, full\nhardware and software inventory, and a change management process.\n\nThe FDCC is an OMB mandate that requires all Federal Agencies to standardize\nthe configuration (baseline) of approximately 300 settings on every Windows\ncomputer, agency wide. The reason for this standardization is to strengthen the\nfederal IT\xe2\x80\x99s security by reducing opportunities for hackers to access and exploit\ngovernment computer systems. At this time, there are no standard configuration\nsettings for Macintosh or UNIX based operating systems, but they are reportedly\nunder review by OMB for possible standardized configuration guidelines.\n\nPatch management is a key component in maintaining the security posture of a\nsystem. Software vendors provide patches and updates to remediate security\nvulnerabilities identified in its software. These patches and updates are made\navailable through the software vendor\xe2\x80\x99s website as they are released. Most\nvendors have a set day that patches are released. For example, Microsoft\nreleases patches/updates on the 2nd Tuesday of each month. If vulnerability is\nconsidered critical, then a vendor may release patches out-of-cycle, based on the\nseverity of the vulnerability.\n\nNIST SP 800-53, Recommended Security Controls for Federal Information\nSystems and Organization provides guidance to government organizations on\nflaw remediation, such as patching and updates. The NIST guidance provides\nthat an organization should identify, report, and correct information system flaws;\ntest software updates related to flaw remediation for effectiveness and potential\nside effects on organizational information systems before installation; and\nincorporate flaw remediation into the organizational configuration management\nprocess. 28\n\n28\n  The National Institute of Standards and Technology, Special Publication 800-53, Rev 3, \xe2\x80\x9cRecommended\nSecurity Controls for Federal Information Systems and Organizations,\xe2\x80\x9d August 2009, p. F-124.\n2010 Annual FISMA Assessment                                                           March 3, 2011\nReport No. 489\n                                              Page 26\n\x0c                                                                                       Appendix V\n\n\n\nResults of Assessment. C5i determined that the Commission has developed\nand issued formal, written configuration management policy (implementing\ninstructions) that addresses project configuration management. 29 These\nimplementing instructions establish uniform policies, authorities, responsibilities,\nand procedures for IT security configuration management. 30 Further, the\ninstruction identify configuration management planning as a process that is\nmanaged by the Configuration Management and Quality Assurance (CM/QA)\nBranch and other OIT organizations engaged in Information Technology project\nactivities and provides a Project Configuration Management Plan template that\ndescribes configuration management activities in terms of configuration\nidentification, baseline management, configuration control, status accounting,\naudits, and configuration management tools. These implementing instructions\nare consistent with guidance provided in NIST SP 800-53 Recommended\nSecurity Controls for Federal Information Systems and Organizations. 31\n\nThe SEC has implemented appropriate policies to perform oversight and\nevaluation of contractor information systems. 32 The Quality Management (QM)\npolicy \xe2\x80\x9cidentifies the use of QM for the systematic implementation and use of\nplanning, control, assurance, and improvement activities to align the business\ngoals, quality objectives, and process measures. QM may involve providing\ninformation on standards, facilitating a team, or identifying and analyzing a\nprocess. Another expectation of QM is to collect measurement data and lessons\nlearned as input to other process and product assurance management activities.\nQM resources act as consultants in continuous process improvement activities.\xe2\x80\x9d\nQM has specific objectives, e.g., quality planning, quality control, quality\nassurance, and quality improvement, helping to ensure successful\nimplementation. Effective QM designs, develops, and implements guidance\nprocesses that assure accuracy and integrity. The OIT\xe2\x80\x99s CM/QA Branch is\nresponsible for conducting the review, control, and enforcement of the process\nand product assurance for IT products within OIT as well as agency-wide, to\nensure quality planning and quality control are addressed.\n\nA change request is prepared and initiated by a requester using the enterprise\nchange control tool. The enterprise change control tool is administered by the\nCM/QA Branch. The information that requesters put into the change control tool\ngenerates a System Change Request (SCR). An Operations Configuration\n\n\n29\n   24-03.01.02(01.0) Implementing Instruction Process and Product Assurance Management Configuration\nManagement and 24-04.04.02 (01.1), Implementing Instruction for IT Security Configuration Management.\n30\n   OD 24-04.04, IT Security Operations and Communications Security Management Program, SECR 24-04,\nInformation Technology Security Program.\n31\n   The National Institute of Standards and Technology Special Publication 800-53 \xe2\x80\x9cRecommended Security\nControls for Federal Information Systems and Organizations,\xe2\x80\x9d Appendix F-CM, pages F-38 \xe2\x80\x93 F46, Control\nFamily: Configuration Management.\n32\n   24-1.2 Introduction of New Technology Into the Agency, 24-1.6 Enterprise Architecture, OD 24-03.01\nProcess and Product Assurance Management, OD 24-03.01.01 Process and Product Assurance\nManagement: Quality Management.\n2010 Annual FISMA Assessment                                                           March 3, 2011\nReport No. 489\n                                              Page 27\n\x0c                                                                                     Appendix V\n\nControl Board (O-CCB) 33 has been established to review and approve SCR\xe2\x80\x99s.\nMembers of the O-CCB include representatives from:\n\n        \xe2\x80\xa2   Office of Applications and Software Development;\n        \xe2\x80\xa2   Central Operations Branch;\n        \xe2\x80\xa2   Configuration Management and Quality Control Branch (non-voting\n            member);\n        \xe2\x80\xa2   Data and Application Management Branch;\n        \xe2\x80\xa2   Electronic Data Gathering, Analysis, and Retrieval System (EDGAR);\n        \xe2\x80\xa2   End User Technology Branch;\n        \xe2\x80\xa2   Information Security Group;\n        \xe2\x80\xa2   Network Engineering Branch;\n        \xe2\x80\xa2   Servers and Storage Branch; and\n        \xe2\x80\xa2   Technical Assistance Center (TAC). 34\n\nO-CCB members evaluate the SCR\xe2\x80\x99s and assess any IT security implications.\nInformation system components such as hardware, operating system, utility, and\napplications, with IT security features require testing prior to the implementation\nof the change into the production environment, which prevent unwarranted\ndowntime of the production environment.\n\nWhen a change to an existing information system is proposed, the OIT Security\nGroup O-CCB member conducts an impact analysis to determine the effects on\nthe integrity and availability of the information and the information system. This\nanalysis ensures that changes do not introduce new vulnerabilities or diminish\nexisting IT security controls. In addition to the impact analysis, IT security testing\nand evaluation is conducted for all proposed changes that have IT security\nimplications and features. Upon completion of testing and after all IT security\nimplications are evaluated and assessed, the O-CCB approves or disapproves\nthe proposed changes. The results of the analysis and any IT security testing\nand evaluation are documented within the change control tool.\nIn September 2010, OIT deployed the appropriate FDCC setting to all Windows-\nbased workstations. However, some requirements were not implemented due to\nthe incompatibility with OIT\xe2\x80\x99s internal applications and management\xe2\x80\x99s decision\nnot to implement them.\n\nWhile compliance with the FDCC standards is required by the OMB for all\ndesktops and laptops, OMB does allow for exceptions. Per OMB Memorandum\nM-09-29 FY2009 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management, 35 any and all exceptions\nmust be documented and submitted to NIST electronically. As documented in\nReport, No. 485, and based on interviews conducted with OIT senior\n\n33\n   OD 24-03.01-C01 Operations Configuration Control Board (O-CCB) Charter.\n34\n   Id.\n35\n   Office of Management and Budget Memorandum M-09-29 FY2009 Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management.\n2010 Annual FISMA Assessment                                                         March 3, 2011\nReport No. 489\n                                             Page 28\n\x0c                                                                                    Appendix V\n\nmanagement, as of February 2, 2011, OIT\xe2\x80\x99s exceptions list was still outstanding\nand OIT had not submitted it to NIST.\n\nOur review of OIT\xe2\x80\x99s exceptions list found some exceptions were annotated with\n\xe2\x80\x9cmanagement decision\xe2\x80\x9d as the justification for the exception. However, OIT staff\ncould not provide us with support documentation for its decisions. For example,\nOIT staff informed us that the FDCC password requirement is an exception.\nOIT\xe2\x80\x99s password policy indicates passwords at a minimum must be\nand must be changed every              . The FDCC requires passwords to be at a\nminimum 12 characters, and the password must be changed every 60 days.\nOIT\xe2\x80\x99s decision to non-comply with the FDCC\xe2\x80\x99s password requirement is noted on\nthe exception report as \xe2\x80\x9cmanagement decision\xe2\x80\x9d with no additional information.\n\nThe SEC has developed policies and procedures for patch management for their\nnetwork servers, as well as workstations (e.g., desktops and laptop computer\nsystems). 36 When vendors release a patch, OIT first tests the patch in its\ndevelopment environment to ensure the patch will not have an adverse effect on\nthe SEC\xe2\x80\x99s systems. This is done by applying the patch to a test workstation or to\na server and then verifying the results. OIT uses a commercial product to test\npatches and to deploy patches that have been successfully tested.\n\nOnce patches are tested and it is determined that they do not adversely affect\nthe SEC\xe2\x80\x99s systems and applications, a \xe2\x80\x9cchange\xe2\x80\x9d is then submitted to the change\ncontrol board for approval. If it is determined that a patch could adversely affect\nthe SEC\xe2\x80\x99s systems/applications, the security risk posed by not applying the patch\nis reviewed by the security group to determine if appropriate compensating\ncontrols exist, e.g., firewalls, intrusion protection etc. Once approved, patches\nare \xe2\x80\x9cpushed out\xe2\x80\x9d to all SEC workstations via a \xe2\x80\x9cgroup policy update\xe2\x80\x9d that is\nissued.\n\nAdministrative notices (see Appendix VIII) are sent prior to the push to ensure\nthat SEC personnel are aware of the upcoming change to remind staff to keep\ntheir workstations powered on and connected to the network in order for their\nmachine to be updated. For employees off-site, their machines will automatically\nbe updated the next time they connect to the SEC network.\n\nWe found OIT has documented and incorporated guidance from NIST\nrequirements in its policies and procedures, however, we determined that they\nare not always followed. For example, OIT informed us that patches for high-\nlevel vulnerabilities are generally deployed within          after a patch is\nreleased (OIT policy indicates high-level patches are to be deployed within\n\n\n36\n   OP 24-03.01.02.07 Configuration Control: Change Management, 24-05.04.03 (01.0) Implementing\nInstruction: Patch Management, 24-05.04.03.01 UNIX Server Patch Procedure, 24-05.04.03.02 Windows\nServer Patch Installation, and 24-05.04.03.03 Security-Related Patch Management for Windows-based\nWorkstations.\n2010 Annual FISMA Assessment                                                         March 3, 2011\nReport No. 489\n                                            Page 29\n\x0c                                                                                       Appendix V\n\n                  ) and patches for medium or low-level vulnerabilities are generally\ndeployed in             . 37\n\nFurther, we found significant delays in the deployment of patches. For example,\nMicrosoft Service Pack 3 was issued by the vendor in May 2008, but was only\nrecently deployed to the SEC\xe2\x80\x99s systems. NIST 800-53 guidance does not require\nthat patching be done within a certain time frame; however it does state that \xe2\x80\x9cthe\norganization promptly installs security-relevant software updates (e.g., patches,\nservices packs, and hot fixes.).\xe2\x80\x9d 38\n\nResponse. In response to question 2, C5i found that the Commission is\nmaintaining a configuration management program with documented processes\nand procedures for configuration management - hardware and software\ninventory, change management, vulnerability scanning, and identified baseline\nconfiguration; however, improvements are needed. As a result, C5i\nrecommended selecting 2.b.\n\nIn response to question 2.a.8, C5i found that the SEC needs to improve its\ndocumentation of deviations from FDCC requirements. In addition, as discussed\nin Report No. 485, the SEC does maintain a list of exceptions/deviations from the\ncommon security standards (e.g., FDCC). However, OIT has not submitted its\ndeviations from FDCC to NIST, as required by OMB Memorandum M-09-29, \xe2\x80\x9cFY\n2009 Reporting Instruction for the Federal Information Security Management Act\nand Agency Privacy Management.\xe2\x80\x9d Additionally, OIT does not maintain\nsupporting documentation to justify \xe2\x80\x9cmanagement decisions\xe2\x80\x9d to deviate from\nFDCC standards.\n\nRegarding question 2.a.11, C5i found that the SEC\xe2\x80\x99s patch management process\nis not fully developed and implemented. Additionally, Report No. 485 found that\nOIT has not applied patches in a timely and effective manner. For example, OIT\napplied Microsoft\xe2\x80\x99s XP Professional Service Pack 3 in calendar year 2010, even\nthough Microsoft issued the patch in May 2008. In addition, OIT has applied\nmultiple patches since November 2009; however, at the time the OIG reported to\nOMB for FISMA, OIT was unable to provide the exact dates when the patches\nwere applied. As a result, C5i was unable to determine the timeliness and\neffectiveness of OIT\xe2\x80\x99s patch management process. Subsequent to the\nNovember 15, 2010 report to OMB for FISMA, OIT provided C5i a list of all of the\npatches applied and was able to determine that OIT\xe2\x80\x99s patch management is\nimproving. However, we are unable to fully determine the effectiveness of the\nSEC\xe2\x80\x99s patch management process. We provided our response to questions 2\nand 3 as shown in Table 2 below.\n\n\n37\n  OP24-05.04.03.03, Security-Related Patch Management for Window-based Workstations.\n38\n  The National Institute of Standards and Technology, Special Publication 800-53, Rev 3, \xe2\x80\x9cRecommended\nSecurity Controls for Federal Information Systems and Organizations,\xe2\x80\x9d August 2009, p. F-124, Control:\nSystem and Information Integrity, SI-2 Flaw Remediation.\n2010 Annual FISMA Assessment                                                           March 3, 2011\nReport No. 489\n                                              Page 30\n\x0c                                                                                            Appendix V\n\n\n     Table 2: OIG Response to Questions 2 and 3 39\n           ID                 Questions from OMB Questionnaire                     Response\n      2b        The Agency has established and is maintaining a security\n                configuration management program. However, the Agency                 Yes\n                needs to make significant improvements as noted below.\n      2.a.8     FDCC is not fully implemented (OMB) and/or all deviations are         Yes\n                not fully documented.\n\n                Comments: As was illustrated in OIG Report No. 485, the SEC\n                does maintain a list of exceptions/deviations from the common\n                security standards (i.e., FDCC). However, OIT has not\n                submitted its deviations list from FDCC to NIST, as required by\n                OMB Memorandum M-09-29, \xe2\x80\x9cFY2009 Reporting Instruction for\n                the Federal Information Security Management Act and Agency\n                Privacy Management\xe2\x80\x9d. Additionally, OIT does not maintain\n                supporting documentation to justify the \xe2\x80\x9cmanagement decisions\xe2\x80\x9d\n                used to deviate from FDCC standards.\n      2.a.11    Patch management process is not fully developed (NIST 800-53:         Yes\n                CM-3, SI-2).\n                Comments: As was noted in Report No. 485, OIT did not apply\n                patches in a timely and effective manner. For example, the\n                SEC\xe2\x80\x99s OIT applied Microsoft\xe2\x80\x99s XP Professional Service Pack 3 in\n                calendar year 2010, even though Microsoft issued the patch in\n                May 2008. In addition, OIT has applied multiple patches since\n                November 2009; however, OIT is unable to provide the exact\n                dates for when the patches were applied. Therefore, we are\n                unable to fully determine the effectiveness of the SEC\xe2\x80\x99s patch\n                management process.\n      3.\n\n\n\n\n      Source: OMB FISMA Web Portal\n\n\n\n\n39\n  Table 2 does not reflect all components of question 2. The table identifies areas where OIT needs\nimprovement.\n2010 Annual FISMA Assessment                                                                March 3, 2011\nReport No. 489\n                                                 Page 31\n\x0c                                                                                                Appendix V\n\n\nSection 3: Status of Incident Response &\nReporting Program\nBackground. Incident response is the documented (through policies and\nprocedures) and organized approach to addressing and managing the aftermath\nof a security breach or attack (also known as an incident). Incidents can include\nlost/stolen assets (laptops, Blackberry devices, etc.) or the compromise of an\norganizations system (unauthorized access, computer virus, etc.). NIST SP 800-\n53 provides the following controls regarding Incident Response:\n\n     Control Family - Incident Response 40\n       \xe2\x80\xa2 IR-1 Incident Response Policy and Procedures\n       \xe2\x80\xa2 IR-2 Incident Response Training\n       \xe2\x80\xa2 IR-3 Incident Response Testing and Exercises\n       \xe2\x80\xa2 IR-4 Incident Handling\n       \xe2\x80\xa2 IR-5 Incident Monitoring\n       \xe2\x80\xa2 IR-6 Incident Reporting\n       \xe2\x80\xa2 IR-7 Incident Response Assistance\n       \xe2\x80\xa2 IR-8 Incident Response Plan\n\nThe goal of incident response is to handle the situation in a way that limits\ndamage and reduces recovery time and costs. Organizations develop an\nincident response plan to include policies that define, in specific terms, what\nconstitutes an incident and provides a step-by-step process that should be\nfollowed when an incident occurs based on the type and severity of the incident.\n\nOrganizations have a designated computer incident response team which is a\ncarefully selected group that, in addition to security and general IT staff, may\ninclude representatives from legal, human resources, and public relations\ndepartments. The teams\xe2\x80\x99 roles and responsibilities are documented, defined and\ncommunicated thoroughly.\n\nThe SANS\xe2\x84\xa2 (SysAdmin, Audit, Network, and Security) training Institute has\nidentified the following six steps that should be used to effectively address an\nincident. 41\n\n     1. Preparation: The organization educates users and IT staff of the\n        importance of updated security measures and trains them to respond to\n        computer and network security incidents quickly and correctly.\n40\n   The National Institute of Standards and Technology\xe2\x80\x99s (NIST), Special Publication 800-53, Rev 3,\n\xe2\x80\x9cRecommended Security Controls for Federal Information Systems and Organizations\xe2\x80\x9d, August 2009,\nPages F-61 \xe2\x80\x93 F-65, Control Family: Incident Response.\n41\n   The SANS (SysAdmin, Audit, Network, Security) Institute was established in 1989 as a cooperative\nresearch and education organization. A range of individuals from auditors and network administrators, to\nchief information security officers are sharing the lessons they learn and are jointly finding solutions to the\nchallenges they face. (Source http://www.sans.org\\about).\n2010 Annual FISMA Assessment                                                                     March 3, 2011\nReport No. 489\n                                                   Page 32\n\x0c                                                                                        Appendix V\n\n\n\n     2. Identification: The response team is activated to decide whether a\n        particular event is, in fact, a security incident. The team may contact the\n        Computer Emergency Response Team Coordination Center, which tracks\n        Internet security activity and has the most current information on viruses\n        and worms.\n\n     3. Containment: The team determines how far the problem has spread and\n        contains the problem by disconnecting all affected systems and devices to\n        prevent further damage.\n\n     4. Eradication: The team investigates to discover the origin of the incident.\n        The root cause of the problem and all traces of malicious code are\n        removed.\n\n     5. Recovery: Data and software are restored from clean backup files,\n        ensuring that no vulnerabilities remain. Systems are monitored for any\n        sign of weakness or recurrence.\n\n     6. Lessons Learned: The team analyzes the incident and how it was\n        handled, making recommendations for better future response and for\n        preventing a recurrence.\n\nResults of Assessment. The SEC has implemented policies and procedures 42\nto address Incident Response which are well documented and address the NIST\nand OMB 43 guidance. C5i\xe2\x80\x99s review of the SEC\xe2\x80\x99s Incident Response Capability\n(IRC) Handbook provided evidence of the SEC\xe2\x80\x99s attributes for its incident\nresponse and reporting program. The SEC IRC Handbook was developed to\nassist in the mission of the SEC Computer Security Incident Response Team.\nThe handbook defines processes and procedures, roles and responsibilities,\ntypes of incidents, reporting criteria and timeframes, evidence collection and\nhandling, event categories and incident severity, etc., as well as post-mortem\nprocedures, e.g., lessons learned.\n\nThe handbook also defines which types of incidents are required to be reported\nto the United States Computer Emergency Readiness Team (US-CERT) (based\non OMB A-130 and FISMA) and which do not. The types of incidents that are not\nrequired to be reported are incidents that are self-inflicted, did not result in\nunauthorized access, or were not a result of attackers\xe2\x80\x99 actions. All other\n\n42\n   OD 24-04.07 Information Security Incident Management, II 24-04.07.01 Computer Security Incident\nResponse Capability, OP 24-04.07.01.02 Handling Inappropriate Usage Incidents, OP 24-04.07.01.03\nHandling of Denial of Service Incidents, OP24-04.07.01.04 Handling Unauthorized Access Incidents, OP 24-\n04.07.01.05 Handling Laptop Theft and Tampering Incidents, OP 24-04.07.01.05.A01 Laptop Theft and\nTampering Incident Materials SEC Incident Response Capability Handbook, and II 24-04.07.01.A01 SEC\nIncident Response Capability Handbook.\n43\n   Office of Management and Budget Circular A-130, Appendix III, Security of Federal Automated\nInformation Resources.\n2010 Annual FISMA Assessment                                                            March 3, 2011\nReport No. 489\n                                              Page 33\n\x0c                                                                                             Appendix V\n\nincidents require reporting to US-CERT. For further detail, the Incident\nEscalation Flow Chart is included in Appendix VIII.\n\nC5i found that that the Commission has incident prevention, detection, response,\nand reporting capabilities. This capability features a number of tools including,\nbut not limited to:\n\n    \xe2\x80\xa2    Archer; 44\n    \xe2\x80\xa2    ArcSight Enterprise Security Manager (ESM); 45\n    \xe2\x80\xa2    Encase\xc2\xae; 46\n    \xe2\x80\xa2\n    \xe2\x80\xa2\n    \xe2\x80\xa2\n    \xe2\x80\xa2\n\n44\n   Archer Incident Management centralizes and streamlines the complete case management lifecycle for\ncyber and physical incidents and ethics violations. Archer\xe2\x80\x99s web-based solution allows the SEC to capture\norganizational events that may escalate into incidents, evaluate incident criticality, and assign response\nteam members based on business impact and regulatory requirements. You can also consolidate response\nprocedures, manage investigations end-to-end, and report on trends, losses, recovery efforts and related\nincidents.\n45\n   ArcSight delivers real-time event management with ArcSight ESM. As a key component of the ArcSight\nSIEM Platform, ArcSight ESM delivers \xe2\x80\x9cforensics on the fly,\xe2\x80\x9d the ability to drill down from an alert to the\nsource events that triggered the alert. The advanced real-time correlation capability of ArcSight ESM\nidentifies the relevance of any given event by placing it within context of who, what, where, when and why\nthat event occurred and its impact on business risk. ArcSight ESM correlates incoming events with asset\nprioritization and vulnerability, user activity, and threat history to deliver accurate and automated\nprioritization of security risks and compliance violations. The powerful correlation engine of ArcSight ESM\nprocesses many millions of log entries down to the few critical events that matter.\n46\n   EnCase\xc2\xae Forensic is the premier computer forensic application available. It gives investigators the ability\nto image a drive and preserve it in a forensic manner using the EnCase\xc2\xae evidence file format (LEF or E01),\na digital evidence container validated and approved by courts worldwide. EnCase\xc2\xae Forensic also contains\na full suite of analysis, bookmarking and reporting features. Guidance Software and third party vendors\nprovide support for expanded capabilities to ensure that forensic examiners have the most comprehensive\n  et of utilities.\n\n\n\n\n2010 Annual FISMA Assessment                                                                  March 3, 2011\nReport No. 489\n                                                 Page 34\n\x0c                                                                                         Appendix V\n\nIn addition, C5i found that local processes and procedures are based on\nguidance as described by NIST, 51 OMB 52 and industry best practices. The\nincident reporting procedures are widely used, and fully integrated into the SEC\xe2\x80\x99s\nIT management processes.\n\nResponse. In question 4, we found the SEC has established and is maintaining\nan incident response and reporting program that is generally consistent with\nNIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA requirements based on the description provided\nabove. C5i found that the SEC has documented policies and procedures for\nreporting incidents internally to the US-CERT and law enforcement. These\npolicies and procedures were developed using guidance and best practices from\nNIST and OMB.\n\nConcerning questions 4.a.1 through 4.a.5, as indicated above, C5i determined\nthrough interviews and documentation review that the SEC has established and\nis maintaining an incident response program consistent with NIST, OMB\xe2\x80\x99s FISMA\nrequirements. The program consists of documented policies and procedures for\nreporting and responding to incidents, tracking resolution, reporting to US-CERT,\nand involving law enforcement when appropriate. We provided our response to\nquestion 4 as shown in Table 3 below.\n\n\n\n\n   The National Institute of Standards and Technology, Special Publication 800-61, Rev 1, \xe2\x80\x9cComputer\nSecurity Incident Handling Guide,\xe2\x80\x9d March 2008, The National Institute of Standards and Technology Special\nPublication 800-72, \xe2\x80\x9cGuidelines on PDA Forensics,\xe2\x80\x9d November 2004, The National Institute of Standards\nand Technology Special Publication 800-83, \xe2\x80\x9cGuide to Malware Incident Prevention and Handling,\xe2\x80\x9d\nNovember 2005, The National Institute of Standards and Technology Special Publication 800-86, \xe2\x80\x9cGuide to\nIntegrating Forensic Techniques into Incident Response,\xe2\x80\x9d August 2006, The National Institute of Standards\nand Technology Special Publication 800-101, \xe2\x80\x9cGuidelines on Cell Phone Forensics,\xe2\x80\x9d May 2007, Carnegie\nMellon University Software Engineering Institute CMU/SEI-2003-HB-001, Organizational Models For\nComputer Security Incident Response Teams (CSIRTs), Carnegie Mellon University Software Engineering\nInstitute (CMU/SEI) CMU/SEI-20030TR-001, State of the Practice of Computer Security Incident Response\nTeams (CSIRTs), Carnegie Mellon University Software Engineering Institute CMU/SEI-20030HB-002,\nHandbook for Computer Security Incident Response Teams (CSIRTs), Carnegie Mellon University Software\nEngineering Institute CMU/SEI-2004-TR-015, Defining Incident Management Processes for CSIRTs,\nCarnegie Mellon University Software Engineering Institute CMU/SEI-20050HB-001, First Responders Guide\nto Computer Forensics, Sandia National Laboratories (SAND) SAND98-8667, A Common Language for\nComputer Security Incidents, Howard and Longstaff.\n52\n   Office of Management and Budget Circular A-130, Appendix III, Security of Federal Automated\nInformation Resources and Memorandum M-06-19 Reporting Incidents Involving Personally Identifiable\nInformation and Incorporating the Cost for Security in Agency Information Technology Investments, dated\nJuly 12, 2006.\n2010 Annual FISMA Assessment                                                              March 3, 2011\nReport No. 489\n                                               Page 35\n\x0c                                                                           Appendix V\n\n\n  Table 3: OIG Response to Question 4\n    ID            Questions from OMB Questionnaire             Response\n  4.a     The Agency has established and is maintaining an       Yes\n          incident response and reporting program that is\n          generally consistent with NIST\'s and OMB\'s FISMA\n          requirements. Although improvement opportunities\n          may have been identified by the OIG, the program\n          includes the following attributes:\n  4.a.1   Documented policies and procedures for responding\n          and reporting to incidents.\n  4.a.2   Comprehensive analysis, validation and\n          documentation of incidents.\n  4.a.3   When applicable, reports to US-CERT within\n          established timeframes.\n  4.a.4   When applicable, reports to law enforcement within\n          established timeframes.\n  4.a.5   Responds to and resolves incidents in a timely\n          manner to minimize further damage.\n Source: OMB FISMA Web Portal\n\n\n\n\nSection 4: Status of Security Training Program\nBackground. Annual Cybersecurity Awareness Training is a FISMA and OMB\nCircular A-130, Appendix III, requirement for all federal government employees\nand contractors. NIST SP 800-16 Information Technology Security Training\nRequirements: A Role and Performance-Based Model provides guidance for\ndesigning a standard training program which includes good computer security\npractices, information on latest threats and vulnerabilities, those requiring specific\nrole-based training, etc. Specialized training is designed for personnel with\nsignificant IT security or system administration responsibilities to enhance their\nknowledge and skill-sets.\n\nResults of Assessment. OIT has developed and implemented II 24-04.03.01\nImplementing Instruction IT Security Awareness and Training Program and\nOperating Directive (OD) 24-04.03 Operating Directive IT Security Human\nResources Security Program documenting the roles and responsibilities for\nSecurity Training and documenting the requirements for SEC staff and\ncontractors. C5i has reviewed these policies and has determined that they are\nthorough and incorporate NIST, FISMA, and OMB guidance, as well as\nCybersecurity best practices.\n\nIn 2007, the OIT purchased the Department of State\xe2\x80\x99s Cybersecurity Awareness\nTraining Module (Joint STATE-USAID (JSAS)). This computer based training\nprovided standard cyber security training across the federal government and it\nhad a tracking mechanism to provide user completion statistics. In 2010, OIT\nreturned to using its in-house Cybersecurity Awareness training module which\nprovided the office the ability to tailor its training. OIT\xe2\x80\x99s tailored training included\nthe SEC\xe2\x80\x99s Rules of the Road to ensure employees and contractors were familiar\n2010 Annual FISMA Assessment                                                March 3, 2011\nReport No. 489\n                                        Page 36\n\x0c                                                                                          Appendix V\n\nwith not only Cybersecurity best practices, but all the SEC-specific practices for\nhandling and protecting information. OIT takes Cybersecurity Awareness training\nvery seriously. Personnel (employees and contractors) who do not successfully\ncomplete the training by the established deadline, risk having their access\ncredentials frozen until the training is completed. As of November 15, 2010,\n4,732 of 4,778 (99.04 percent) of SEC employees and contractors successfully\ncompleted the training. In addition, 535 of 539 (99.26 percent of users with\nspecial roles completed the specialized \xe2\x80\x9crole based access training.\xe2\x80\x9d\n\nResponse. Concerning questions 4.a.1 through 4.a.5, as described above,\nbased on our review of the SEC\xe2\x80\x99s policies and procedures surrounding\nCybersecurity Awareness Training, and completing the required training\nourselves, we determined that the SEC has developed and is maintaining an\nappropriate training program. The program has documented and implemented\npolicies and procedures, roles and responsibilities, training statistics are\ncompiled and maintained to track the completion of the training, and the training\ncontent is clear and in accordance with appropriate federal guidance and industry\nbest practices.\n\nBelow, C5i provided our response to question 5 as shown in Table 4.\n\n Table 4: OIG Response to Question 5\n    ID                Questions from OMB Questionnaire                         Response\n  5.a      The Agency has established and is maintaining a security              Yes\n           training program that is generally consistent with NIST\'s and\n           OMB\'s FISMA requirements. Although improvement\n           opportunities may have been identified by the OIG, the\n           program includes the following attributes:\n\n  5.a.1   Documented policies and procedures for security awareness\n          training.\n  5.a.2   Documented policies and procedures for specialized training\n          for users with significant information security responsibilities.\n  5.a.3   Appropriate training content based on the organization and\n          roles.\n  5.a.4   Identification and tracking of all employees with login privileges\n          that need security awareness training.\n  5.a.5   Identification and tracking of employees without login\n          privileges that require security awareness training.\n  5.a.6   Identification and tracking of all employees with significant\n          information security responsibilities that require specialized\n          training.\n Source: OMB FISMA Web Portal\n\n\n\nSection 5: Status of Plans of Actions &\nMilestones (POA&M) Program\nBackground. The Plan of Action and Milestones (POA&M) is a key document in\na C&A package. It is used to document identified weaknesses/vulnerabilities\ndiscovered through security control assessments, security impact analyses, and\n2010 Annual FISMA Assessment                                                              March 3, 2011\nReport No. 489\n                                                Page 37\n\x0c                                                                                       Appendix V\n\ncontinuous monitoring activities. A POA&M document will contain information on\nthe system, the identified vulnerability, severity and risk level of the vulnerability,\napplicable control family based on NIST SP 800-53, recommended remediation\nand timeline, and responsible party/organization. 53\n\nResults of Assessment. Through interviews and reviews of the Automated\nProcurement System (APS) and the General Support System (GSS) POA&M\xe2\x80\x99s,\nC5i has determined that the Commission maintains an effective POA&M process.\nOIT effectively consolidates agency plans to correct security weaknesses found\nduring various security reviews, including audits performed by the OIG, system\ncertification and accreditation, GAO audits, financial system audits, and critical\ninfrastructure vulnerability assessments. The POA&Ms are tracked using a\ncompliance spreadsheet which allows for quarterly tracking and updates. OIT\xe2\x80\x99s\nPOA&M process provides an effective roadmap for continuous security\nimprovement, assists with prioritizing corrective action and resource allocation,\nand is a valuable management and oversight tool.\n\nThe SEC\xe2\x80\x99s POA&M process is documented and implemented through SEC\nPolicy 24-04.10.01 (02.0) IT Security Certification and Accreditation and SEC\nPolicy 24-04.10, IT Security Compliance Program (01.0). The POA&M process\nis centrally managed by OIT, and includes both Commission and contractor\noperated systems. The POA&M is developed by the C&A Coordinator, with\nassistance from the Chief Information Security Officer (CISO) and OIT Technical\nLiaison, and captures the decisions made regarding mitigation and/or acceptance\nof each of the risks enumerated in the Risk Assessment Report. The POA&M\ndescribes each risk, lists the selected mitigation (if any) and its cost (in staff or\nother resources), assigns responsibility for implementing the mitigation, lists the\ncompletion date for the mitigation activity, and provides justification if the risk is to\nbe accepted. The C&A Coordinator is responsible for ensuring resources are\napplied to POA&M activities to meet the milestones therein. The CISO is\nresponsible for monitoring progress of mitigation activities described in the\nPOA&M, and for periodic security compliance reviews of all information systems.\nWhen a security weakness is identified, program officials quickly develop,\nimplement, and manage POA&Ms for Commission systems. They report their\nprogress to the Chief Information Officer (CIO) on a quarterly basis, and centrally\ntrack, maintain, and review POA&M activity on a quarterly basis. In addition, OIG\nrecommendations are routinely incorporated into the POA&M process, and the\nPOA&M process effectively prioritizes IT security weaknesses to help ensure\nsignificant IT security weaknesses are addressed in a timely manner, and the\nappropriate resources are received. OIT staff member\xe2\x80\x99s track POA&M\xe2\x80\x99s by using\nthe DOJ sponsored CSAM application tool. DOJ externally host the tool and OIT\nhas used it since March 2009. Screenshots of the various CSAM functions used\nby OIT for tracking POA&M\xe2\x80\x99s can be found in Appendix VIII.\n\n53\n  The National Institute of Standards and Technology, Special Publication 800-53, Rev 3, \xe2\x80\x9cRecommended\nSecurity Controls for Federal Information Systems and Organizations,\xe2\x80\x9d August 2009.\n2010 Annual FISMA Assessment                                                           March 3, 2011\nReport No. 489\n                                              Page 38\n\x0c                                                                                      Appendix V\n\nWhile OIT is no longer required to submit quarterly updates of its POA&M\xe2\x80\x99s, the\noffice has made quarterly updates its standard procedure to ensure timely\nremediation and the closure of POA&M findings.\n\nResponse. Concerning questions 6.a.1 through 6.a.6, as described above, OIT\nhas established and is maintaining a POA&M program that is generally\nconsistent with NIST and OMB\xe2\x80\x99s FISMA requirements to track and monitor\nknown information security weaknesses. OIT has developed policies and\nprocedures documenting the roles and responsibilities of staff for the C&A\nprocess as it pertains to POA&M\xe2\x80\x99s. Weaknesses documented on a POA&M are\ndocumented and may include vulnerability description, responsible party, severity\nof weakness, plan and timeline of remediation, and responsible party. POA&M\nitems are tracked using CSAM and OIT staff performs quarterly updates to\nensure the accuracy of the POA&M. We provided our response to question 6 as\nshown in Table 5 below.\n\n Table 5: OIG Response to Question 6\n    ID               Questions from OMB Questionnaire                      Response\n  6.a     The agency has established and is maintaining a POA&M              Yes\n          program that is generally consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s\n          FISMA requirements and tracks and monitors known\n          information security weaknesses. Although improvement\n          opportunities may have been identified by the OIG, the\n          program includes the following attributes:\n  6.a.1   Documented policies and procedures for managing all known\n          IT security weaknesses.\n  6.a.2   Tracks, prioritizes and remediates weaknesses.\n  6.a.3   Ensures remediation plans are effective for correcting\n          weaknesses.\n  6.a.4   Establishes and adheres to reasonable remediation dates.\n  6.a.5   Ensures adequate resources are provided for correcting\n          weaknesses.\n  6.a.6   Program officials and contractors report progress on\n          remediation to CIO on a regular basis, at least quarterly, and\n          the CIO centrally tracks, maintains, and independently\n          reviews/validates the POA&M activities at least quarterly.\n Source: OMB FISMA Web Portal\n\n\nSection 6: Status of Remote Access Program\nBackground. Remote access is the ability to access a computer or a network\nfrom a remote location. Most commonly this type of access is used by\ntelecommuters (working from home), personnel on travel,\nconsultants/contractors, and others who are not permanently based at a facility.\n\nEstablishing a remote connection requires internet access and, for\nnetwork/account security reasons, should require multi-factor authentication \xe2\x80\x93 a\nuser name, personal identification number (PIN) and passcode from a secure\ntoken to establish connection to the network, followed by the users account\ndomain user name and password to access applications and/or workstations.\n\n2010 Annual FISMA Assessment                                                          March 3, 2011\nReport No. 489\n                                               Page 39\n\x0c                                                                                        Appendix V\n\nNIST SP 800-53 provides specific guidance for remote access in the Access\nControl section. It specifically states:\n\n        The organization:\n           \xe2\x80\xa2 Documents allowed methods of remote access to the information\n              system;\n           \xe2\x80\xa2 Establishes usage restrictions and implementation guidance for\n              each allowed remote access method;\n           \xe2\x80\xa2 Monitors for unauthorized remote access to the information system;\n           \xe2\x80\xa2 Authorizes remote access to the information system prior to\n              connection; and\n           \xe2\x80\xa2 Enforces requirements for remote connections to the information\n              system. 54\n\nResults of Assessment. The SEC has documented policies and procedures\nsurrounding remote access (authorization, monitoring, and controlling):\nOperating Procedure (OP) 24-04.06.03.02 Security Configuration of Remote\nAccess and OP 24-04.06.03.04 SecurID Token Assignment and 24-\n04.06.03.02.T01 Remote Access Checklist as well as the SEC Rules of the\nRoad, which outline user roles and responsibilities in securely accessing systems\nremotely.\n\nAccessing SEC systems remotely can be performed in the following ways:\n\n\n\n\nAccessing email                                       allows the user to read and\nrespond to their email, but does not allow the users to access any SEC internal\nsystems, i.e., intranet or other SEC applications (HUB, Momentum). That access\nis available only via login to                           . All remote access at the\nSEC requires multi-factor authentication \xe2\x80\x93 user name, RSA token 55\n    , as well as a network password is required. As a security measure for\nremote access, all remote sessions will terminate after              of inactivity.\nThis helps to protect the system from unauthorized access if a user leaves their\nworkstation unattended for a period of time. Once a session has terminated, the\nuser will have to re-authenticate to resume their remote session.\n\n\n\n54\n   The National Institute of Standards and Technology, Special Publication 800-53, Rev 3, \xe2\x80\x9cRecommended\nSecurity Controls for Federal Information Systems and Organizations,\xe2\x80\x9d August 2009, p. F-14, Control:\nAccess Control, AC-17 Remote Access.\n55\n   An RSA token or SecurID is a two-factor authentication mechanism.\n2010 Annual FISMA Assessment                                                            March 3, 2011\nReport No. 489\n                                              Page 40\n\x0c                                                                      Appendix V\n\nThrough interviews conducted, we found that OIT documents, monitors, and\ncontrols all methods of remote access (e.g., dial-up, Internet) to the information\nsystem including remote access for privileged functions. Appropriate\norganization officials authorize each remote access method for the information\nsystem and authorize only the necessary users for each access method. All\nusers who need remote access must complete and submit the Rules of Behavior\nfor Remote Access. This document must be approved in writing by the user,\nusers\' supervisor, and Information System Security Officer. The approved\ndocument is delivered to the OIT Security for processing.\n\nThe SEC requires that sensitive files transmitted across public networks or are\nstored on mobile devices and removable media such as compact discs and flash\ndrives, to be encrypted. OIT implements information flow control policies and\nenforcement mechanisms to control the flow of information between designated\nsources and destinations (e.g., networks, individuals, devices) within information\nsystems and between interconnected systems. Firewalls and routers are used to\nrestrict information flows between GSS and interconnected systems. The SEC\nimplements flow control through user roles, Secure Sockets Layer (SSL)\nconnections, and individual accounts.\n\nUnderlying network protocols provide confidentiality and integrity protection, as\ndo higher-layer cryptographic mechanisms (such as SSL for client/server\ncommunications). Application components are segregated, and each segment of\nthe system is located on a single server. The GSS supports authorized remote\nlogin to the SEC\xe2\x80\x99s networks via the virtual private network and Citrix, both of\nwhich provide encryption during transmission over the internet.\n\nResponse. Concerning questions 7.a.1 - 7.a.7, the SEC has well documented\nand communicated remote access policies and procedures that comply with\nNIST and OMB guidance for identification and multi-factor authentication,\nprotection of the information via encryption, firewalls, and monitoring remote\nconnections. Our response to question 7 is shown in Table 6 below.\n\n\n\n\n2010 Annual FISMA Assessment                                          March 3, 2011\nReport No. 489\n                                     Page 41\n\x0c                                                                                     Appendix V\n\n  Table 6: OIG Response to Question 7\n   ID               Questions from OMB Questionnaire                      Response\n   7.a     The Agency has established and is maintaining a remote           Yes\n           access program that is generally consistent with NIST\xe2\x80\x99s\n           and OMB\xe2\x80\x99s FISMA requirements. Although improvement\n           opportunities may have been identified by the OIG, the\n           program includes the following attributes:\n   7.a.1   Documented policies and procedures for authorizing,\n           monitoring, and controlling all methods of remote access.\n   7.a.2   Protects against unauthorized connections or subversion\n           of authorized connections.\n   7.a.3   Users are uniquely identified and authenticated for all\n           access.\n   7.a.4   If applicable, multi-factor authentication is required for\n           remote access.\n   7.a.5   Authentication mechanisms meet NIST Special\n           Publication 800-63 guidance on remote electronic\n           authentication, including strength mechanisms.\n   7.a.6   Requires encrypting sensitive files transmitted across\n           public networks or stored on mobile devices and\n           removable media such as CDs and flash drives.\n   7.a.7   Remote access sessions are timed-out after a maximum\n           of 30 minutes of inactivity after which re-authentication is\n           required.\n  Source: OMB FISMA Web Portal\n\n\nSection 7: Status of Account and Identity\nManagement Program\nBackground. Account and Identity Management is the process of how\npersonnel are identified and authorized across computer networks (logical\naccess) and facilities (physical access). It covers issues such as how users are\ngiven an identity, the protection of that identity, and the technologies supporting\nthat protection (e.g., network protocols, digital certificates, passwords, etc.).\n\nFor physical access, an ID badge or cardkey are the most common forms;\nhowever biometrics are also used. The badge generally has a photograph of the\nindividual and their location of employment. The badge also has a serial number\nassigned to it that is entered into the access system with the name of the\nassignee when issued. The badge is then scanned into a reader that authorizes\nand records the person\xe2\x80\x99s entry and sometimes exit, into a facility. The access\nbadges can also be programmed based on the individuals job function. For\nexample, access to a datacenter or secure operations center would only be\ngranted to those individuals who work in that area.\n\nFor logical access, users are given a unique identifier, usually their first initial and\nlast name \xe2\x80\x93 that will be used to access computers, networks, and/or applications\nbased on the individuals role. For both logical and physical access,\norganizations have developed their own processes and procedures to\ncommunicate to the various areas (security and network operations) the level of\n\n2010 Annual FISMA Assessment                                                         March 3, 2011\nReport No. 489\n                                                Page 42\n\x0c                                                                                            Appendix V\n\naccess an individual will require. This is usually handled through and electronic\nrequest or form generated by the supervisor.\n\nIn August, 2004, Homeland Security Presidential Directive-12 (HSPD-12)\nPolicies for a Common Identification Standard for Federal Employees and\nContractors was published to establish consistent identity and access controls\nthroughout the federal government. This directive was a result of inconsistent\nidentity management throughout federal agencies and the need to provide\n\xe2\x80\x9cSecure and reliable forms of identification\xe2\x80\x9d 56 for physical and logical access.\n\n         There are wide variations in the quality and security of identification\n         used to gain access to secure facilities where there is potential for\n         terrorist attacks. In order to eliminate these variations, U.S. policy is\n         to enhance security, increase Government efficiency, reduce\n         identity fraud, and protect personal privacy by establishing a\n         mandatory, Government-wide standard for secure and reliable\n         forms of identification issued by the Federal Government to its\n         employees and contractors (including contractor employees). This\n         directive mandates a federal standard for secure and reliable forms\n         of identification. 57\n\nResults of Assessment. Through our interviews and reviews, C5i found that the\nSEC has established an entity-wide Account and Identity Management program\nthat is generally consistent with NIST and OMB\xe2\x80\x99s FISMA requirements. 58 Below\nare procedures provided to the IT specialist and/or administrative specialist at the\nSEC to establish physical and logical access.\n\nLogical Access\n\nThe procedures for establishing, terminating, or modifying a Local Area Network\n(LAN) account are documented in SEC Operating Procedure 24-05.01.02.02\nLAN Account Creation, Modification, Termination, and Transfer. All requests for\ncreating new accounts, making account modifications (name change, change in\naccess levels, etc.), and the termination of accounts are handled by completing\nthe OP Template 24-05.01.02.T01 Request for Account Creation, Modification,\nTermination, or Transfer. Pertinent IT specialists or the office/division\xe2\x80\x99s\nadministrative contact is responsible for completing and submitting the form to\nthe TAC, LAN account management group. Once approved, the TAC will set-up\nan account for the user (based on the request) and provide the user with access\n\n56\n   Homeland Security Presidential Directive-12, August 27, 2004, Section 3.\n57\n   HSPD-12 Abstract, Source: http://www.dhs.gov/xabout/laws/gc_1217616624097.shtm\n58\n   Federal Information Processing Standard Publication 201-1 Personal Identity Verification (PIV) of Federal\nEmployees and Contractors, March 2006, The National Institute of Standards and Technology, Special\nPublication 800-73-1 Interfaces for Personal Identity Verification, March 2006, The National Institute of\nStandards and Technology, Special Publication 800-76-1 Biometric Data Specification for Personal Identity\nVerification, January 2007, The National Institute of Standards and Technology, Special Publication 800-79\nGuidelines for the Certification and Accreditation of PIV Card Issuing Organizations, July 2005.\n2010 Annual FISMA Assessment                                                                March 3, 2011\nReport No. 489\n                                                Page 43\n\x0c                                                                                 Appendix V\n\ncredentials (e.g. user name and temporary password) which the user will be\nprompted to change upon their first login. When a user receives login\ncredentials, if requested they will also receive their RSA token for remote access\nand the instructions on how to activate the token, set-up the PIN, and remote\naccess procedures.\n\nAccess to SEC specific applications (e.g., HUB, Momentum, etc.) is handled by\nindividual office/division application system owners and is based on the users\xe2\x80\x99\nrole in the SEC. LAN accounts are also created for contractors working at the\nSEC and are requested and authorized by the Contacting Office Technical\nResource (COTR) for each specific contract. Each month OIT staff conducts an\naudit of user accounts that are not active for SEC employees and contractors.\nAn IT specialist reviews the list of the inactive employee accounts and\ndesignated COTRs are sent a list of inactive accounts for assigned contractors.\nThe TAC is advised about the status of the list.\n\nAccounts that are inactive for            are put into a \xe2\x80\x9cdormant\xe2\x80\x9d status and the\nuser will only be able to log in only to emails. Only the TAC can fully reactivate\ndormant accounts. Accounts having no activity for                are disabled.\nThough the user\xe2\x80\x99s name still appears on the system, the user cannot log into the\nnetwork. Once an account is inactive for              , an IT specialist is contacted to\ndetermine whether to keep the account in a disabled status or delete it. A good\nreason an IT specialist should not delete an account would be the determination\nto continue monitoring a person\xe2\x80\x99s emails. Account terminations are handled in\nthe exact same manner as when an account is established. The account is\ndisabled on the user\xe2\x80\x99s (employee or contractor\xe2\x80\x99s) date of separation, as\ndocumented by the IT specialist or administrative contact. In the event of\ninvoluntary terminations, the TAC and OIT security are immediately notified and\nthe account is terminated.\n\nThrough a separate audit performed by the SEC ICFR group, it was discovered\nthat active directory accounts for 14 separated employees were not terminated,\nand two of those accounts were identified as being logged into after the\nemployees\xe2\x80\x99 termination dates. 59 Login credentials that are not properly disabled\nat the time of separation/termination of a user pose a serious security risk. The\ncredentials can be used by a malicious party to gain access to sensitive SEC\ndata and compromise the system. If the terminated/separated user had elevated\nprivileges, e.g., local administrative rights, there would be an even greater threat\nof serious compromise or damage to the SEC data/network due to the higher\nlevel of access.\n\nThe level of access given to a user is specific to their job function and is known\nas \xe2\x80\x9cleast privilege.\xe2\x80\x9d Least privilege is defined by NIST SP 800-53 as \xe2\x80\x9callowing\nonly authorized accesses for users (and processes acting on behalf of users)\nwhich are necessary to accomplish assigned tasks in accordance with\n59\n     SEC A-123 FY 2010, Notification of Finding and Recommendation GSS-NFR 08.\n2010 Annual FISMA Assessment                                                     March 3, 2011\nReport No. 489\n                                              Page 44\n\x0c                                                                                            Appendix V\n\norganization missions and business functions.\xe2\x80\x9d 60 We found there are a large\nnumber of users at the SEC who have escalated privileges, specifically local\nadministrative access 61 on a permanent basis, but whose job function does not\nnecessarily require that function. Having local administrative access allows\nusers to install software on their computer without any oversight of OIT and make\nconfiguration changes, etc. It is also a significant risk to SEC systems if the\nuser\xe2\x80\x99s account is compromised by a malicious party, as they will have the ability\nto infiltrate further into the network. There are reasons for granting temporary\nadmin access, e.g., 90 minutes, to perform a function such as installing\nCyberscope to perform OMB reporting, but this privilege should have a finite\ntimeframe.\n\nThe HSPD-12 program referenced earlier in this section applies not only to\nphysical access, but is also intended for logical access. When the program is\nfully implemented, personnel will not be able to access information systems \xe2\x80\x93\nnetwork, email, etc., without their card scanned and input of their specific HSPD-\n12 password. This is a different password then the current network and\napplication passwords that employees use.\n\nIn order for this to be implemented, the card issuance must be completed and the\nacquisition of the equipment completed and deployed. For users who do not\nwork in the field or remotely, their system will be equipped with either a keyboard\nwith a card scanner or a scanner that connects to their equipment via USB port.\nHowever, there are users at the SEC (employees and contractors) who are not\nlocated at SEC offices who always access the SEC systems remotely, and those\nsolutions are not feasible. OIT is currently researching solutions for the remote\nissues.\n\nPhysical Access\n\nThe current badge process for employees and contractors is to complete the\npertinent forms \xe2\x80\x93 personal data form, release of credit, etc. In order for the forms\nto be processed, they must be sponsored. Employees and contractors requiring\naccess for a period greater than six months must get a PIV card. This\nemployee/contractor\'s name must be provided by an Office of Human Resources\n(OHR) Talent Management for new employees or the payroll system for current\nemployees. Contractor requests come from the COTR. Both OHR and the\nCOTR are responsible for getting the documents and providing them to OHR\nPersonnel Security for the individual to be sponsored. Once sponsored, OHR\nPersonnel Security will review the Office of Personnel Management\xe2\x80\x99s Personnel\nInvestigation Processing System\'s application to verify if the person has a\n\n60\n   The National Institute of Standards and Technology, Special Publication 800-53, Rev 3, Recommended\nSecurity Controls for Federal Information Systems and Organizations, August 2009, p. F-9, Control: Access\nControl, AC-6, Least Privilege.\n61\n   Local Administrative access provides users with higher privileges on their workstations than normal users.\nThis level of privilege allows the user to perform functions, such as installation of third party software,\nremoving or turning off settings, e.g., forced encryption, etc.\n2010 Annual FISMA Assessment                                                                March 3, 2011\nReport No. 489\n                                                Page 45\n\x0c                                                                                        Appendix V\n\nbackground investigation on record that meets the SEC\'s minimum requirements.\nIf they do, the file is adjudicated and the employee is approved for a badge. If\nnot, then the employee/contractor\'s fingerprints are sent to the FBI for verification\nand then the adjudicator reviews the results and sends out the rest of the\ndocumentation to complete the cross agency verification. Once all results are\nreceived, the adjudicator reviews the information and makes a determination for\nsuitability for employment at the agency. Once the person has been successfully\nadjudicated then the person is authorized to get their badge and obtain access to\nthe SEC network.\n\nAll access badges are programmed with access privileges based on the\nindividual roles and responsibilities. NIST SP 800-53 provides guidance on\nphysical access authorization and control.\n\n        Physical Access Authorizations - The organization:\n           a. Develops and keeps current a list of Personnel with authorized\n              access to the facility where the information system resides ) except\n              for those areas within the facility officially designated as publicly\n              accessible);\n           b. Issues authorization credentials; and\n           c. Reviews and approves the access list and authorization\n              credentials, removing from the access list personnel no longer\n              requiring access. 62\n\n        Physical Access Control - the organization:\n           a. Enforces physical access authorizations for all physical access\n              points (including designated entry/exit points) to the facility where\n              the information system resides (excluding those areas within the\n              facility officially designated as publicly accessible);\n           b. Verifies individual access authorizations before granting access to\n              the facility;\n           c. Controls entry to the facility containing the information systems\n              using physical access devices and/or guards;\n           d. Controls access to areas officially designated as publicly accessible\n              in accordance with the organizations assessment of risk;\n           e. Secures keys, combinations, and other physical access devices;\n           f. Inventories physical access devices; and\n           g. Changes combinations and keys when keys are lost, combinations\n              are compromised, or individuals are transferred or terminated. 63\n\nThe SEC is currently implementing the HSPD-12 card rollout through an\ninteragency agreement with the General Services Administration (GSA) for the\n\n62\n   The National Institute of Standards and Technology, Special Publication 800-53, Rev 3, \xe2\x80\x9cRecommended\nSecurity Controls for Federal Information Systems and Organizations,\xe2\x80\x9d August 2009, p. F-76, Control:\nPhysical and Environmental Protection, PE-2 Physical Access Authorizations.\n63\n   Id. at p. F-77\n2010 Annual FISMA Assessment                                                            March 3, 2011\nReport No. 489\n                                              Page 46\n\x0c                                                                       Appendix V\n\nexpress purposes of using the GSA HSPD-12 Shared Services Solution,\nconsisting of Enrollment/Activation Stations for sending data (i.e., scanned\nfingerprint images with authentication information) to request issue of Personal\nIdentity Verification (PIV) credentials, also referred to as an HSPD-12 card. The\nSEC selected the GSA Shared Service solution because the cost to acquire the\ntechnology to support the program would have been expensive. In addition, the\nGSA Shared Service solution provided the equipment, personnel, and has\nalready acquired the equipment and technology needed to implement the\nprogram. Further, the GSA Shared Service solution had completed a certification\nand accreditation of its system.\n\nFor an employee or contractor that requires an HSPD-12 badge, the\nemployee/contractor is sponsored into the GSA USAccess system for the\nprocessing of the card, and if needed, a background investigation is initiated \xe2\x80\x93\nthis applies to employees and contractors. Once the investigation is successfully\ncompleted, the individual will receive notification that they can begin the\nenrollment process for their card. This notification includes instructions on how\nto register for the enrollment, locations and hours, and the ability to schedule the\nappointment.\n\nAs of the date of our interviews (September 20, 2010), the initial card rollout was\nestimated to be completed by September 30, 2010. However, the date has since\nbeen revised to June 30, 2011 and this change was reported to OMB.\n\nResponse. Concerning question 8b, C5i found that the SEC has implemented\nand is maintaining an Identity and Access management program that has\ndocumented policies and procedures; however through our interviews and\nreview, we found three areas of improvement:\n\nIn response to question 8.a.7, C5i found that logical accounts are not properly\nterminated when users no longer require access. In addition, we found that the\nSEC\xe2\x80\x99s Internal Control for Financial Reporting group identified Active Directory\n(AD) network accounts for separated/terminated employees have not been\ndisabled in a timely manner. Specifically, it was found that 14 separated SEC\nemployees AD network accounts had been disabled. Two if these employees\nAD network accounts were identified as having been logged into after the\nemployee\xe2\x80\x99s SEC termination date and a disabled AD account was identified as\nbeing logged into after another SEC employee\xe2\x80\x99s terminated date.\n\nIn response to question 8.a.9, C5i found that the SEC has not adequately\nplanned for implementation of PIV for Logical Access. In addition, we found that\nthe SEC has not completed its rollout of the PIV badge to all employees and\ncontractors, as required by the HSPD-12 directive. As a result, all employees\nand contractors are not utilizing the PIV badge for physical access and logical\naccess. Further, a complete rollout of technology to support the PIV program\nhas not been completed.\n\n2010 Annual FISMA Assessment                                           March 3, 2011\nReport No. 489\n                                     Page 47\n\x0c                                                                                     Appendix V\n\n\n\nRegarding question 8.a.10, C5i found that privileges granted are excessive or\nresult in capability to perform conflicting functions. Additionally, we found that the\nSEC has an excessive number of persons who have been granted administrative\naccess on a permanent basis but whose job function may not require this level of\nprivilege on an indefinite basis. We provided our response to question 8 as\nshown in Table 7 below.\n\n  Table 7: OIG Response to Question 8\n     ID               Questions from OMB Questionnaire                       Response\n  8.b      The Agency has established and is maintaining an account            Yes\n           and identify management program that identifies users and\n           network devices. However, the Agency needs to make\n           significant improvements as noted below.\n           If b. checked above check areas that need significant\n           improvement:\n  8.a.7    Accounts are not properly terminated when users no longer           Yes\n           require access (NIST 800-53, AC-2).\n           Comments: The SEC\xe2\x80\x99s Internal Control for Financial\n           Reporting group identified Active Directory (AD) network\n           accounts for separated/terminated employees have not been\n           disabled in a timely manner. Specifically, it was found that 14\n           separated SEC employees AD network accounts had been\n           disabled. Two if these employees AD network accounts were\n           identified as having been logged into after the employee\xe2\x80\x99s\n           SEC termination date and a disabled AD account was\n           identified as being logged into after another SEC employee\xe2\x80\x99s\n           terminated date.\n   8.a.9   Agency has not adequately planned for implementation of PIV         Yes\n           for logical access (HSPD 12, FIPS 201, OMB M-05-24, OMB\n           M-07-06, and OMB M-08-01).\n           Comments: The SEC has not completed its rollout of the PIV\n           badge to all employees and contractors, as required by the\n           HSPD-12 directive. As a result, all employees and contractors\n           are not utilizing the PIV badge for physical access and logical\n           access. Further, a complete rollout of technology to support\n           the PIV program has not been completed.\n   8.a.10  Privileges granted are excessive or result in capability to         Yes\n           perform conflicting functions (NIST 800-53, AC-2, and AC-6).\n           Comments: The SEC has an excessive number of\n           persons who have been granted administrative access\n           on a permanent basis but whose job function may not\n           require this level of privilege on an indefinite basis.\n  Source: OMB FISMA Web Portal\n\n\nSection 8: Status of Continuous Monitoring\nProgram\nBackground. Continuous monitoring is the process of tracking the security state\nof an information system on an ongoing basis and maintaining the security\nauthorization for the system over time. Understanding the security state of\ninformation systems is essential in highly dynamic environments of operation with\nchanging threats, vulnerabilities, technologies, and missions/business processes.\nNetwork vulnerability assessments, Intrusion Detection System (IDS), Intrusion\n2010 Annual FISMA Assessment                                                            March 3, 2011\nReport No. 489\n                                               Page 48\n\x0c                                                                                        Appendix V\n\nPrevention System (IPS), and C&A are all components of a continuous\nmonitoring program. NIST SP 800-53 provides guidance on continuous\nmonitoring, specifically:\n\n         Security Assessment and Authorization, CA-7 Continuous Monitoring - the\n         organization establishes a continuous monitoring strategy and implements\n         a continuous monitoring program that includes:\n\n                     a. A configuration management process for the\n                        information systems and its constituent components;\n                     b. A determination of the security impact of changes to\n                        the information system and environment of operation;\n                     c. Ongoing security control assessments in accordance\n                        with the organizational continuous monitoring\n                        strategy;\n                     d. Reporting the security state of the information system\n                        to appropriate organizational officials;\n                     e. Employs an independent assessor or assessment\n                        team to monitor the security controls in the\n                        information system on an ongoing basis; and\n                     f. Plans, schedules, and conducts assessments to\n                        ensure compliance with all vulnerability mitigation\n                        procedures. 64\n\nResults of Assessment. Through interviews and documentation review, C5i\nfound that the SEC has an entity-wide continuous monitoring program that\nassesses the security state of information systems that is generally consistent\nwith NIST and OMB\xe2\x80\x99s FISMA requirements; however, improvements need to be\nmade. Specifically, OIT\xe2\x80\x99s continuous monitoring procedures should be improved\nto provide sufficient detail regarding when patches have been implemented. In\naddition, patches are not applied in a consistent manner as noted in Report No.\n485. C5i noted that the SEC documented many policies addressing the various\nfacet of continuous monitoring.\n\n     \xe2\x80\xa2   Patch Management: 24.05.04.03.01 UNIX Server Patch\n         Management, 24.05.04.03.02 Windows Server Patch Installation,\n         24.05.04.03.03 Security-Related Patch Management for Windows-\n         based Workstations\n     \xe2\x80\xa2   C&A: 24-04, Information Technology Security Program, 24-04.10\n         IT Security Compliance Program, Implementing Instruction: IT\n         Security Certification and Accreditation, 24-04.10.02 Implementing\n         Instruction: IT Security Risk Management.\n\n\n64\n  The National Institute of Standards and Technology, Special Publication 800-53, Rev 3, \xe2\x80\x9cRecommended\nSecurity Controls for Federal Information Systems and Organizations,\xe2\x80\x9d August 2009, page F-37, Control:\nSecurity Assessment and Authorization, CA-7 Continuous Monitoring.\n2010 Annual FISMA Assessment                                                            March 3, 2011\nReport No. 489\n                                              Page 49\n\x0c                                                                              Appendix V\n\nAs noted in the Section 1 of this report, C5i found that the SEC C&A process\nadequately provides appropriate risk categories, adequate risk assessments,\nselection of appropriate controls, adequate testing of controls, and regular\nmonitoring of system risks and the adequacy of controls.\n\nOIT is responsible for performing monthly vulnerability scans on the SEC\nnetwork, as well as performing IDS and IPS functions. For vulnerability\nscanning, the SEC recently upgraded their vulnerability scanning tool from\n                                        , both are commercial-off-the-shelf\nproducts and are widely used in government and commercial enterprises. For\nintrusion prevention and detection, OIT uses               as its   , and\n            as its\n\nOIT has documented policies and procedures for Patch Management; however,\nas previously mentioned in the SEC OIG\xe2\x80\x99s Assessment of the SEC\xe2\x80\x99s Privacy\nProgram Report 65 and in Section 2 of this report, patches are not being deployed\nin a timely manner and OIT is unable to provide documentation and/or evidence\nof when a patch was actually deployed. Moreover, as noted in Section 2 of this\nreport, SEC patching policies and procedures are not being fully adhered to and\nthere is insufficient documentation supporting the implementation of patches.\n\nResponse. In response to question 9.a.2, C5i found that the SEC\xe2\x80\x99s continuous\nmonitoring procedures are not fully developed or consistently implemented.\nAlso, C5i found that OIT\xe2\x80\x99s continuous monitoring procedures do not provide\nsufficient detail regarding when patches have been implemented. In addition,\npatches are not applied in a consistent manner as noted in the Report No. 485.\nConcerning question 9b, C5i found that the SEC has established an agency-wide\ncontinuous monitoring program to assess, however improvement is needed. We\nprovided our response to question 9 as shown in Table 8 below.\n\n\n\n\n65\n  SEC OIG Assessment of SEC\xe2\x80\x99s Privacy Program, Report No. 485, September 29, 2010.\n2010 Annual FISMA Assessment                                                    March 3, 2011\nReport No. 489\n                                         Page 50\n\x0c                                                                                        Appendix V\n\n         Table 8: OIG Response to Question 9\n         ID           Questions from OMB Questionnaire                    Response\n     9b        The Agency has established an entity-wide continuous          Yes\n               monitoring program that assesses the security state of\n               information systems. However, the Agency needs to make\n               significant improvements as noted below.\n              If b. checked above, check areas that need significant\n              improvement\n      9.b.2   Continuous monitoring procedures are not fully developed,      Yes\n              sufficiently detailed, or consistently implemented.\n              Comments: OIT\xe2\x80\x99s continuous monitoring procedures do\n              not provide sufficient detail for when patches have been\n              implemented. In addition, patches are not applied in a\n              consistent manner as noted in the OIG\xe2\x80\x99s Report No. 485.\n     Source: OMB FISMA Web Portal\n\n\nSection 9: Status of Contingency Planning\nProgram\nBackground. Continuity of Operations/Disaster Recovery (COOP/DR) is the\nprocesses, policies and procedures for re-establishing operations for an\nenterprise after a man-made or natural disaster. These procedures include, but\nare not limited to: re-activation of systems; communication to personnel; alternate\nwork location for personnel; roles and responsibilities; and utilities\n(telecommunications, power, water). NIST SP 800-53 provides guidance on with\na specific control for Contingency Planning which includes:\n\n     \xe2\x80\xa2    CP-1: Contingency Planning Policy and Procedures\n     \xe2\x80\xa2    CP-2: Contingency Plan\n     \xe2\x80\xa2    CP-3: Contingency Training\n     \xe2\x80\xa2    CP-4: Contingency Plan Testing and Exercises\n     \xe2\x80\xa2    CP-6: Alternate Storage Site\n     \xe2\x80\xa2    CP-7: Telecommunications Service\n     \xe2\x80\xa2    CP-9: Information Service Backup\n     \xe2\x80\xa2    CP-10 Information system Recovery and Reconstitution 66\n\nOrganizations perform tests of their disaster recovery plans, usually bi-annually,\nto ensure the full functionality of the plan and the fail-over systems, and\ndocument any problems for remediation.\n\nResults of Assessment. C5i found that the SEC has established and is\nmaintaining an entity-wide business COOP/DR that is consistent with NIST,\nFISMA, and OMB requirements; as well is consistent with the Federal Continuity\nDirective 67 (FCD) for developing continuity plans and programs. OIT has\n66\n   The National Institute of Standards and Technology, Special Publication 800-53, Rev 3, \xe2\x80\x9cRecommended\nSecurity Controls for Federal Information Systems and Organizations,\xe2\x80\x9d August 2009, p. F-47, Control:\nContingency Planning.\n67\n   Federal Continuity Directive (FCD), Federal Executive Branch Continuity Program and Requirements,\nFebruary 2008.\n2010 Annual FISMA Assessment                                                            March 3, 2011\nReport No. 489\n                                                Page 51\n\x0c                                                                                        Appendix V\n\ndeveloped and implemented OIT-00047-001.0 Disaster Recovery Planning\nProcedures, 24-04.09 IT Security Business Continuity Management Program,\nSEC Implementing Instruction 24-04.09.01 (02.0) System Business Impact\nAnalysis, and OIT-00003-001.0 Disaster Recovery Planning Policy to provide the\nauthority and guidance necessary to reduce the impact of a disruptive event or\ndisaster. These documents were reviewed and are compliant with appropriate\nFederal guidance.\n\nC5i found that the SEC\xe2\x80\x99s continuity planning facilitates the performance of\nessential functions during all-hazards, emergencies and other situations that may\ndisrupt normal operations. The COOP/DR plans are used to conduct\nassessments and track system performance at all times and under all conditions,\nto include natural disasters, man-made incidents, terrorism, and war. Further, C5i\nfound that the SEC COOP/DR program meets the requirements of the FCD.\nFCD 1 68 requires that essential functions be performed continuously following a\ndisaster, national emergency or other emergency event, or continuity of\noperations; and disaster recovery plan procedures must support their resumption\nwithin 12 hours or less after an event. In addition, COOP/DR capabilities must\nsupport continued performance of the functions for up to 30 days or until normal\noperations can be resumed. Given the requirements and parameters established\nin FCD 1, the Recovery Time Objectives for SEC applications are as follows:\n\n     \xe2\x80\xa2   Applications supporting SEC Primary Missions Essential Functions\n         (PMEF) -                 ;\n     \xe2\x80\xa2   Applications supporting SEC Mission Essential Functions (MEF) -\n                         ; and\n     \xe2\x80\xa2   All other applications -               .\n\nThe critical activities that are performed by the SEC, especially after a disruption\nof normal activities, are divided into three categories of essential functions:\nNational Essential Functions (NEF), PMEF, and MEF. The SEC Office of the\nExecutive Director (OED) has completed an analysis of its systems and has\nidentified them according to the essential functions they perform. The specific\nFederal government and SEC requirements requiring and defining the\nperformance of business continuity and disaster recovery are contained in the\npolicy and procedural references:\n\n     \xe2\x80\xa2   Federal Continuity Directive 1 (FCD 1), Federal Executive Branch\n         Continuity Program Requirements, February 2008;\n     \xe2\x80\xa2   Operating Directive (OD) 24-04.09 IT Security Business Continuity\n         Management Program; and\n     \xe2\x80\xa2   National Institute of Standards and Technology (NIST) Special\n         Publication (SP) 800-30; Risk Management Guide for Information\n         Technology Systems, July 2002.\n68\n  Federal Continuity Directive 1 (FCD 1), Federal Executive Branch Continuity Program and Requirements,\nFebruary 2008, p. 1.\n2010 Annual FISMA Assessment                                                            March 3, 2011\nReport No. 489\n                                              Page 52\n\x0c                                                                     Appendix V\n\nC5i verified that the agency has developed and performed an overall Business\nImpact Assessment (BIA) process. BIAs must be completed for all systems\ncurrently designated by the SEC as applications reportable under FISMA. In\naddition, BIAs must be completed for any new applications, which will be\nreportable under FISMA, and during the system\xe2\x80\x99s design phase. The BIA for the\n\xe2\x80\x9cTips, Complaints, and Referrals Repository\xe2\x80\x9d system, dated March 12, 2010 was\nreviewed.\n\nThe specific Federal government and SEC requirements requiring and defining\nthe performance of BIAs are contained in the policy and procedural references:\nSEC Implementing Instruction 24-04.09.01 (02.0), System Business Impact\nAnalysis, and NIST SP 800-34, Contingency Planning Guide for Information\nTechnology Systems, June 2002.\n\nC5i found that the SEC performs the development and documentation of division,\ncomponent, and IT infrastructure recovery strategies, plans and procedures. It\nwas confirmed that contingency planning and disaster recovery exercises were\nperformed in April and November 2010, which included the fail-over test results.\nAn \xe2\x80\x9cExercise After Action\xe2\x80\x9d report is prepared once the exercise is completed to\nincluded full documentation of the outcome of each phase of the exercise and\nincludes \xe2\x80\x9clessons learned\xe2\x80\x9d for issues or problems that occurred.\n\nThe SEC continues the performance of regular ongoing testing and exercising of\nits continuity/disaster recovery plans to determine their effectiveness and to\nmaintain current plans. C5i has verified that the Critical systems have alternate\nprocessing sites and the training, testing, and exercises have been developed.\n\nResponse. Concerning questions 10.a.1 through 10.a.7, C5i found that the SEC\nhas an entity-wide disaster recovery program that includes documented policies\nand procedures in compliance with federal guidance. Testing of the plan is\nconducted twice per year with results documented. We provided our response to\nquestion 10 as shown in Table 9 below.\n\n\n\n\n2010 Annual FISMA Assessment                                         March 3, 2011\nReport No. 489\n                                    Page 53\n\x0c                                                                                     Appendix V\n\n  Table 9: OIG Response to Question 10\n     ID                Questions from OMB Questionnaire                      Response\n    10.a     The Agency established and is maintaining an entity-wide          Yes\n             business continuity/disaster recovery program that is\n             generally consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA\n             requirements. Although improvement opportunities may have\n             been identified by the OIG, the program includes the\n             following attributes:\n   10.a.1    Documented business continuity and disaster recovery policy\n             providing the authority and guidance necessary to reduce the\n             impact of a disruptive event or disaster.\n   10.a.2    The agency has performed an overall Business Impact\n             Assessment.\n   10.a.3    Development and documentation of division, component, and\n             IT infrastructure recovery strategies, plans and procedures.\n   10.a.4    Testing of system specific contingency plans.\n   10.a.5    The documented business continuity and disaster recovery\n             plans are ready for implementation.\n   10.a.6    Development of training, testing, and exercises (TT&E)\n             approaches.\n   10.a.7    Performance of regular ongoing testing or exercising of\n             continuity/disaster recovery plans to determine effectiveness\n             and to maintain current plans.\n  Source:   OMB FISMA Web Portal\n\n\nSection 10: Status Agency Program to Oversee\nContractor Systems\nBackground. Outside contractors play an integral role in the federal government\noperations, as well as in commercial enterprises. Contractors can provide a wide\nrange of services from staff augmentation to technology system development,\noperation and maintenance. Contractors are subject to the same rules of\nconduct as employees of the organization they are brought in to support, and\ntherefore must adhere to all policies and procedures. Contractor systems\ndeployed in the federal government are subject to a full C&A prior to\nimplementation and are also governed by policies and procedures of the agency\nfor compliance with NIST, FISMA, and OMB guidance.\n\nResults of Assessment. C5i found that the SEC ensures that contractors or\nother entities of information system services employ adequate security controls in\naccordance with applicable federal laws, directives, policies, regulations,\nstandards, guidance, and established service level agreements. Interviews were\nconducted with several persons responsible for managing and administering the\nSEC\xe2\x80\x99s information systems security program, and a review of policies and\nprocedures provided by OIT to verify compliance. C5i also determined that the\nSEC has implemented appropriate policies 24-1.2 Introduction of New\nTechnology Into the Agency, 24-1.6 Enterprise Architecture, OD 24-03.01\nProcess and Product Assurance Management, OD 24-03.01.01 Process and\nProduct Assurance Management: Quality Management to perform oversight and\nevaluation of contractor information systems.\n\n2010 Annual FISMA Assessment                                                         March 3, 2011\nReport No. 489\n                                               Page 54\n\x0c                                                                      Appendix V\n\nC5i found that there are detailed procedures developed, documented, and\neffectively implemented to reduce risks from outsourced services by contractors\nof the agency, or other organization(s) on behalf of the agency, that explicitly\naddress the need for effective security controls at the service provider.\n\nThe SEC performs oversight and evaluation to ensure information systems used\nor operated by a contractor of the agency, or other organization(s) on behalf of\nthe agency, meet the requirements of FISMA, OMB, and NIST guidelines, as well\nas National Security Policy. Further, OIT maintains an inventory (Excel\nspreadsheet) of major information systems, including systems operated by\ncontractors on the agencies behalf. The system inventory was reviewed and is\nwell documented with the name of the system, system owner, and whether or not\nthe system is SEC operated or operated by a contractor on behalf of the\ncommission. The SEC authorizes all connections from the information system to\nother information systems outside of the accreditation boundary and\nmonitors/controls the system interconnections on an ongoing basis. Appropriate\norganizational officials approve the information system interconnection\nagreements, Security Plans and procedures to verify reduction of risk of\nintroducing a security flaw or breach to the organization.\n\nThese agreements are comprehensive and include detailed information\nregarding the purpose of the connection, the responsibilities of each party, a\ndescription of the systems or networks to be interconnected, procedures for\nresponding to security incidents, disaster and contingency plans, funding\nconsiderations, and numerous administrative details. As part of our review, we\nexamined Memoranda of Understanding (MOU\xe2\x80\x99s) and an Interconnection\nSecurity Agreement (ISA) between the SEC and DOJ, Department of Interior,\nand other government and contractor entities, that meet the requirements of\nNIST guidelines and OMB\xe2\x80\x99s FISMA requirements.\n\nResponse. In response to question 11, C5i found that the SEC has established\nand maintains a program to oversee systems operated on its behalf by\ncontractors. Concerning questions 11.a.1 through 11.a.6, C5i found that the\nSEC has established and is maintaining a program to oversee systems operated\non its behalf by contractors and/or other entities. There are documented policies\nand procedures that comply with NIST, FISMA, and OMB guidance. Based on\ninformation provided by OIT, but not verified by C5i through testing, an inventory\nof systems is maintained and kept up to date by OIT. All interfaces are identified\nand MOU\xe2\x80\x99s and ISA\xe2\x80\x99s are in place. We provided our response to question 11 as\nshown in Table 9 below.\n\n\n\n\n2010 Annual FISMA Assessment                                          March 3, 2011\nReport No. 489\n                                     Page 55\n\x0c                                                                                     Appendix V\n\n  Table 10: OIG Response to Question 11\n      ID               Questions from OMB Questionnaire                       Response\n     11.a   The Agency has established and maintains a program to               Yes\n            oversee systems operated on its behalf by contractors or\n            other entities. Although improvement opportunities may have\n            been identified by the OIG, the program includes the\n            following attributes:\n    11.a.1 Documented policies and procedures for information security\n            oversight of systems operated on the Agency\'s behalf by\n            contractors or other entities and that the Agency obtains\n            sufficient assurance that security controls of systems\n            operated by contractors or others on its behalf are effectively\n            implemented and comply with federal and agency guidelines.\n    11.a.2 A complete inventory of systems operated on the Agency\'s\n            behalf by contractors or other entities.\n    11.a.3 The inventory identifies interfaces between these systems\n            and Agency-operated systems.\n    11.a.4 The agency requires agreements (MOUs, Interconnect\n            Service Agreements, contracts, etc.) for interfaces between\n            these systems and those that is owns and operates.\n    11.a.5 The inventory, including interfaces, is updated at least\n            annually.\n    11.a.6 Systems that are owned or operated by contractors or entities\n            are subject to and generally meet NIST and OMB\'s FISMA\n            requirements.\n  Source: OMB FISMA Web Portal\n\n\n\n\n2010 Annual FISMA Assessment                                                             March 3, 2011\nReport No. 489\n                                               Page 56\n\x0c                                         Appendix VI\n\n\n\n\n2010 Annual FISMA Assessment             March 3, 2011\nReport No. 489\n                               Page 57\n\x0c                                         Appendix VI\n\n\n\n\n2010 Annual FISMA Assessment             March 3, 2011\nReport No. 489\n                               Page 58\n\x0c                                                                     Appendix VII\n\n\n     OIG Response to Management\xe2\x80\x99s Comments\n\nWe are pleased that OIT concurred with the report\xe2\x80\x99s recommendation and has\ninitiated actions to address the issues described in the report. We believe that\nfull implementation of these recommendations will act to strengthen the SEC\xe2\x80\x99s\ninformation security systems.\n\n\n\n\n2010 Annual FISMA Assessment                                          March 3, 2011\nReport No. 489\n                                     Page 59\n\x0c                                                         Appendix VIII\n\n\n                               Screenshots\n\nFigure 1: SEC Administrative Notice, Issued 11/23/2010\n\n\n\n\nSource: SEC Email from OIT\n\n\n\n\n2010 Annual FISMA Assessment                               March 3, 2011\nReport No. 489\n                                  Page 60\n\x0c                                         Appendix VIII\n\n\nFigure 2: CSAM Home Page\n\n\n\n\nSource: Generated by CSAM\n\n\n\n\n2010 Annual FISMA Assessment               March 3, 2011\nReport No. 489\n                               Page 61\n\x0c                                         Appendix VIII\n\n\nFigure 3: Inventory of GAO POA&Ms\n\n\n\n\nSource: Generated by CSAM\n\n\n\n\n2010 Annual FISMA Assessment               March 3, 2011\nReport No. 489\n                               Page 62\n\x0c                                         Appendix VIII\n\n\nFigure 4: POA&M Entry Page\n\n\n\n\nSource: Generated by CSAM\n\n\n\n\n2010 Annual FISMA Assessment               March 3, 2011\nReport No. 489\n                               Page 63\n\x0c                                         Appendix VIII\n\n\nFigure 5: POA&M Page\n\n\n\n\nSource: Generated by CSAM\n\n\n\n\n2010 Annual FISMA Assessment               March 3, 2011\nReport No. 489\n                               Page 64\n\x0c                                                   Appendix VIII\n\n\nFigure 6: Incident Escalation Flow Chart\n\n\n\n\nSource: SEC Incident Response Handbook\n\n\n\n\n2010 Annual FISMA Assessment                         March 3, 2011\nReport No. 489\n                                         Page 65\n\x0c                     Audit Requests and Ideas\nThe Office of Inspector General welcomes your input. If you would like to\nrequest an audit in the future or have an audit idea, please contact us at:\n\nU.S. Securities and Exchange Commission\nOffice of Inspector General\nAttn: Assistant Inspector General, Audits (Audit Request/Idea)\n100 F Street, N.E.\nWashington D.C. 20549-2736\n\nTel. #: 202-551-6061\nFax #: 202-772-9265\nEmail: oig@sec.gov\n\n\n\n\n      Hotline\n      To report fraud, waste, abuse, and mismanagement at SEC,\n      contact the Office of Inspector General at:\n\n      Phone: 877.442.0854\n\n      Web-Based Hotline Complaint Form:\n      www.reportlineweb.com/sec_oig\n\x0c'